Conversation from Confluent Community Slack. Copied here to make it available to all.
Hans Jacob Melby:
This might be the wrong channel, but I ask anyway. Can anyone give me some thoughts on governance regarding access control to a topic? are there some way to get a report of who have access to a given topic, and maybe even more important who granted that access? The context for the question is to use kafka as part of a datamesh architecture, and governance is one of the main pillars in that subject…
Mitch Henderson:
Deep question. Things change a bit if you’re using Confluent platform or OSS. CP has rbac with a different way of listing out permissions, and has the oss methods too.
Oss has ACLs that are applied either cluster, or topic wide.
Mitch Henderson:
As for who did what when where and how for permissions …as with anything database-y or fairly complex, most folks put in a change control process or something akin to track that stuff.
CP has audit logging that helps a bit with this. And oss does log it. But given the verbosity of Kafka logging. Most folks tend to externalize permission controls.
Hans Jacob Melby:
@mitchell-h that is enough for me. I just wanted to understand the opportunities and limitations. If it is ok by you I copy your response and refer to this question when i present my findings to my colleagues. Do you know if (and where) this is documented by confluent?
Mitch Henderson:
Mitch Henderson:
you can reference this conversation. It’s on public slack and available until retention hits.
Hans Jacob Melby:
Sarwar Bhuiyan:
What @mitchell-h said. What I’d add is it also depends on the organisation’s existing processes for doing governance around users and access control changes. If they have a system of record which is read and that is then applied, then does that system have auditing and query capability? Gitops might be part of the answer if you’re authoring ACLs via something like Julie or Kafka Security Manager.
Confluent server audit logging is after the fact auditing of who accessed what so today it is only part of the whole picture since the user creation might be in certificates or AD/Ldap. The querying of audit logs is left to the implementer. The audit logs go to a topic which can be siphoned and put into a search engine for search. The same can be done with authoriser logs from OSS Kafka in a manner of speaking though the granularity of the actions might differ.