You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Updated Managing Access and Consumer group guides as per agreed style discussions (#563)
* Updated Managing Access and Consumer group guides as per agreed style discussions.
* Completed style updates to Access and Consumer guides.
* Implemented reviewer's feedback.
As an owner of a Kafka instance in {product-kafka}, you can manage the level of access that other user accounts and service accounts have to your instance. You can allow or deny access to your instance for specific accounts or for all accounts in your organization. You can also allow other users or service accounts to manage the level of access to your instance for you.
86
+
As an owner of a Kafka instance in {product-long-kafka}, you can manage the level of access that other user accounts and service accounts have to your instance. You can allow or deny access to your instance for specific accounts or for all accounts in your organization. You can also allow other users or service accounts to manage the level of access to your instance for you.
87
87
88
88
You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.
89
89
@@ -93,7 +93,7 @@ You can manage access for only the Kafka instances that you create or for instan
93
93
== Access management in {product-kafka}
94
94
95
95
[role="_abstract"]
96
-
{product-kafka} uses Access Control Lists (ACLs) provided by Kafka that enable you to manage how other user accounts and service accounts are permitted to access the Kafka resources that you create. You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.
96
+
{product-long-kafka} uses Access Control Lists (ACLs) provided by Apache Kafka that enable you to manage how other user accounts and service accounts are permitted to access the Kafka resources that you create. You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.
97
97
98
98
An account in {product-kafka} is either a user account or a service account. A user account enables users in your organization to access your resources. A service account enables your application or tool to connect securely to your instance and access your resources.
== Setting account permissions in a Kafka instance in {product-kafka}
233
233
234
234
[role="_abstract"]
235
-
In {product-kafka}, you can create Access Control Lists (ACLs) in your Kafka instances and set permissions for how other user accounts or service accounts can interact with an instance and its resources. You can manage access for only the Kafka instances that you create or for the instances that the owner has enabled you to access and alter.
235
+
In {product-long-kafka}, you can create Access Control Lists (ACLs) in your Kafka instances and set permissions for how other user accounts or service accounts can interact with an instance and its resources. You can manage access for only the Kafka instances that you create or for the instances that the owner has enabled you to access and alter.
236
236
237
237
.Prerequisites
238
-
* You've created a Kafka instance and the instance is in *Ready* state.
238
+
* You've created a Kafka instance and the instance is in the *Ready* state.
239
239
* The user account or service account that you're setting permissions for has been created in the organization.
240
240
241
241
.Procedure
242
-
. In the {product-kafka} web console, go to *Streams for Apache Kafka* > *Kafka Instances* and click the name of the Kafka instance that you want to set permissions for.
242
+
. On the {service-url-kafka}[Kafka Instances^] page of the {product-kafka} web console, click the name of the Kafka instance that you want to set permissions for.
243
243
. Click the *Access* tab to view the current ACL permissions for this instance.
244
244
. Use this *Access* page to set permissions for a new account, add permissions to an existing account, or delete account permissions in this instance.
245
245
+
246
246
* To set permissions for a new account in this instance, follow these steps:
247
247
248
248
.. Click *Manage access*.
249
-
.. In the *Account* drop-down menu, select the new user account or service account that you want to set permissions for. You can also select *All accounts* to set permissions for all user accounts and service accounts in the organization.
249
+
.. In the *Account* list, select the new user account or service account that you want to set permissions for. You can also select *All accounts* to set permissions for all user accounts and service accounts in the organization.
250
250
+
251
-
If you don't see users in the drop-down list, ask your organization administrator to grant access to view other user accounts. For more information, see {base-url}{access-mgmt-url-kafka}#proc-user-account-access_managing-access[Allowing users to view other user accounts].
251
+
If you don't see users in the *Account* list, ask your organization administrator to grant access to view other user accounts. For more information, see {base-url}{access-mgmt-url-kafka}#proc-user-account-access_managing-access[Allowing users to view other user accounts].
252
252
.. Click *Next*.
253
253
+
254
254
--
255
255
The *Review existing permissions* section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main *Access* page.
256
256
257
257
If you previously selected a specific account, you can delete only permission entries that apply to individual accounts. If you previously selected *All accounts*, you can delete only permission entries that apply to all accounts.
258
258
--
259
-
.. Under *Assign Permissions*, use the drop-down menu to select and define the permissions for the specified account or all accounts for a resource type, such as a topic.
259
+
.. Under *Assign Permissions*, use the list to select and define the permissions for the specified account or all accounts for a resource type, such as a topic.
260
260
+
261
261
--
262
262
The following permission options are available:
@@ -314,7 +314,7 @@ The *Review existing permissions* section lists any permission settings in this
314
314
315
315
If you selected a permission entry that applies to a specific account, you can delete only permission entries that apply to individual accounts. If you selected a permission entry that applies to all accounts, you can delete only permission entries that apply to all accounts.
316
316
--
317
-
.. Under *Assign Permissions*, use the drop-down menu to select and define the permissions for the specified account or all accounts for a resource type, such as a topic. You can click *Add permission* to add permissions individually, or you can select from the predefined permission options as described previously.
317
+
.. Under *Assign Permissions*, use the list to select and define the permissions for the specified account or all accounts for a resource type, such as a topic. You can click *Add permission* to add permissions individually, or you can select from the predefined permission options as described previously.
318
318
.. Click *Save* to finish.
319
319
320
320
* To delete existing account permissions in this instance, use the following options:
@@ -323,7 +323,7 @@ If you selected a permission entry that applies to a specific account, you can d
323
323
** For the account that you want to delete, select the options icon (three vertical dots) for that entry and click *Delete*.
324
324
325
325
+
326
-
IMPORTANT: If you delete a user account or service account, you should also delete any ACL permissions associated with that account. If you don't delete unused ACL permissions, then a future account with the same ID of a previously deleted account could inherit the ACL permissions and have automatic access to a Kafka instance.
326
+
IMPORTANT: If you delete a user account or service account, you must also delete any ACL permissions associated with that account. If you don't delete unused ACL permissions, then a future account with the same ID of a previously deleted account could inherit the ACL permissions and have automatic access to a Kafka instance.
327
327
328
328
329
329
[role="_additional-resources"]
@@ -334,12 +334,12 @@ IMPORTANT: If you delete a user account or service account, you should also dele
334
334
== Example account access scenarios in {product-kafka}
335
335
336
336
[role="_abstract"]
337
-
The following example Access Control Lists (ACLs) illustrate common scenarios for managing the level of access for user accounts or service accounts in {product-kafka}. Some examples differ from the predefined permissions in {product-kafka} to demonstrate various possible ACL scenarios. Use these examples as a guide for your own ACLs.
337
+
The following example Access Control Lists (ACLs) illustrate common scenarios for managing the level of access for user accounts or service accounts in {product-long-kafka}. Some examples differ from the predefined permissions in {product-kafka} to demonstrate various possible ACL scenarios. Use these examples as a guide for your own ACLs.
338
338
339
339
Access for a new service account in a Kafka instance::
340
340
+
341
341
--
342
-
I’ve created a new service account and I want to allow it to create and delete topics in the instance, to produce and consume messages in any topic in the instance, and to use any consumer group and any producer.
342
+
You’ve created a new service account and you want to allow it to create and delete topics in the instance, to produce and consume messages in any topic in the instance, and to use any consumer group and any producer.
343
343
344
344
.Example ACL permissions
345
345
[cols="25%,22%,23%,15%,15%"]
@@ -367,7 +367,7 @@ h|Operation
367
367
Access for all accounts in a Kafka instance::
368
368
+
369
369
--
370
-
I want this Kafka instance to be fully accessible to all accounts in the organization. I want any user to be able to read all topics, write to all topics, use any consumer group, and use any producer.
370
+
You want this Kafka instance to be fully accessible to all accounts in the organization. You want any user to be able to read all topics, write to all topics, use any consumer group, and use any producer.
371
371
372
372
.Example ACL permissions
373
373
[cols="25%,22%,23%,15%,15%"]
@@ -395,7 +395,7 @@ h|Operations
395
395
Access for a specific user in a Kafka instance::
396
396
+
397
397
--
398
-
I want this Kafka instance to be fully accessible to a specific user. I don't know which topics or consumer groups the user will use, so I want the user to be able to read any topic, write to any topic, and join any consumer group in the instance.
398
+
You want this Kafka instance to be fully accessible to a specific user. You don't know which topics or consumer groups the user will use, so you want the user to be able to read any topic, write to any topic, and join any consumer group in the instance.
399
399
400
400
.Example ACL permissions
401
401
[cols="25%,22%,23%,15%,15%"]
@@ -423,7 +423,7 @@ h|Operations
423
423
Access for a specific producer to write to a topic::
424
424
+
425
425
--
426
-
I want to allow a user account with a producer that is associated with a specific `transactional.id` value to produce messages to a specific topic in this Kafka instance.
426
+
You want to allow a user account with a producer that is associated with a specific `transactional.id` value to produce messages to a specific topic in this Kafka instance.
427
427
428
428
.Example ACL permissions
429
429
[cols="25%,22%,23%,15%,15%"]
@@ -451,7 +451,7 @@ h|Operations
451
451
Access for specific consumer groups to consume from a topic::
452
452
+
453
453
--
454
-
I want to allow a service account with consumers from consumer groups whose names start with `app` to consume messages from a specific topic in this Kafka instance.
454
+
You want to allow a service account with consumers from consumer groups whose names start with `app` to consume messages from a specific topic in this Kafka instance.
455
455
456
456
.Example ACL permissions
457
457
[cols="25%,22%,23%,15%,15%"]
@@ -479,7 +479,7 @@ h|Operations
479
479
Access for a specific user to manage all permissions in the ACL of a Kafka instance::
480
480
+
481
481
--
482
-
I want to allow a user account to manage all permissions in the ACL for this Kafka instance. I've removed all other permissions from this instance so that the new authorized user can define the new ACL as needed.
482
+
You want to allow a user account to manage all permissions in the ACL for this Kafka instance. You've removed all other permissions from this instance so that the new authorized user can define the new ACL as needed.
483
483
484
484
.Example ACL permissions
485
485
[cols="25%,22%,23%,15%,15%"]
@@ -511,35 +511,35 @@ h|Operations
511
511
As an organization administrator, you can use Role-Based Access Control (RBAC) to allow users to view other users in an organization.
512
512
513
513
You set up access by assigning a predefined role called `User Access principal viewer` to a user group.
514
-
By assigning the role, users within the group are able to do the following:
514
+
By assigning the role, users within the group are able to perform the following actions:
515
515
516
-
* View and select other users when changing owners and managing access to Kafka instances in the web console
517
-
* Specify user names when using the `rhoas` CLI for {product-long-kafka}
516
+
* View and select other users when changing owners and managing access to Kafka instances in the {service-url-kafka}[Openshift Streams for Apache Kafka] web console.
517
+
* Specify user names when using the `rhoas` CLI for {product-long-kafka}.
518
518
519
519
.Prerequisites
520
-
* You're logged into the {org-name} web console as an organization administrator.
520
+
* You're logged into the {cloud-console-url}[Red Hat Hybrid Cloud Console] as an organization administrator.
521
521
* A user group contains the users to assign the role to.
522
522
523
523
NOTE: If you want to add the `User Access principal viewer` role to a single user, create a new group for that user only.
524
524
525
525
ifndef::community[]
526
-
For more information on setting up user access in the web console, see the link:https://access.redhat.com/documentation/en-us/red_hat_hybrid_cloud_console/[_User Access Configuration Guide for Role-based Access Control (RBAC)_^].
526
+
For more information on setting up user access in the Red Hat Hybrid Cloud Console, see the link:https://access.redhat.com/documentation/en-us/red_hat_hybrid_cloud_console/[User Access Configuration Guide for Role-based Access Control (RBAC)^].
527
527
endif::[]
528
528
529
529
.Procedure
530
530
531
531
. In the upper-right corner of the {product-kafka} web console, select the gear icon, and click *Settings* > *User Access* > *Groups*
532
532
. Click the name of the user group.
533
-
. From the *Roles* tab, click *Add role* and select `User Access principal viewer` to add the role to the group.
533
+
. From the *Roles* tab, click *Add role* and select `User Access principal viewer`.
534
534
. Click *Add to group* to add the role to the group.
535
535
+
536
536
The role is added to the list of selected roles on the *Roles* tab.
537
537
538
538
[role="_additional-resources"]
539
539
.Additional resources
540
-
* {base-url}{getting-started-url-kafka}[_Getting started with {product-long-kafka}_^]
541
-
* {base-url}{getting-started-rhoas-cli-url-kafka}[_Getting started with the `rhoas` CLI for {product-long-kafka}_^]
0 commit comments