LogoLogo
HomeProductsDownload Community Edition
6.0
  • Lenses DevX
  • Kafka Connectors
6.0
  • Overview
  • What's New?
    • Version 6.0.5
      • Features / Improvements & Fixes
    • Version 6.0.4
      • Features / Improvements & Fixes
    • Version 6.0.3
      • Features / Improvements & Fixes
    • Version 6.0.2
    • Version 6.0.1
    • Version 6.0.0-la.2
      • Features / Improvements & Fixes
    • Version 6.0.0-la.1
      • Features / Improvements & Fixes
    • Version 6.0.0-la.0
      • Features / Improvements & Fixes
    • Version 6.0.0-alpha.20
      • Features / Improvements & Fixes
      • Helm
    • Version 6.0.0-alpha.19
      • Features / Improvements & Fixes
      • Helm
    • Version 6.0.0-alpha.18
      • Features / Improvements & Fixes
      • Helm
    • Version 6.0.0-alpha.17
      • Features / Improvements & Fixes
      • Helm
    • Version 6.0.0-alpha.16
    • Version 6.0.0-alpha.14
  • Getting Started
    • Setting Up Community Edition
      • Hands-On Walk Through of Community Edition
    • Connecting Lenses to your Kafka environment
      • Overview
      • Install
  • Deployment
    • Installation
      • Kubernetes - Helm
        • Deploying HQ
        • Deploying an Agent
      • Docker
        • Deploying HQ
        • Deploying an Agent
      • Linux
        • Deploying HQ
        • Deploying an Agent
    • Configuration
      • Authentication
        • Admin Account
        • Basic Authentication
        • SSO & SAML
          • Overview
          • Azure SSO
          • Google SSO
          • Keycloak SSO
          • Okta SSO
          • OneLogin SSO
          • Generic SSO
      • HQ
        • Configuration Reference
      • Agent
        • Overview
        • Provisioning
          • Overview
          • HQ
          • Kafka
            • Apache Kafka
            • Aiven
            • AWS MSK
            • AWS MSK Serverless
            • Azure EventHubs
            • Azure HDInsight
            • Confluent Cloud
            • Confluent Platform
            • IBM Event Streams
          • Schema Registries
            • Overview
            • AWS Glue
            • Confluent
            • Apicurio
            • IBM Event Streams Registry
          • Kafka Connect
          • Zookeeper
          • AWS
          • Alert & Audit integrations
          • Infrastructure JMX Metrics
        • Hardware & OS
        • Memory & CPU
        • Database
        • TLS
        • Kafka ACLs
        • Rate Limiting
        • JMX Metrics
        • JVM Options
        • SQL Processor Deployment
        • Logs
        • Plugins
        • Configuration Reference
  • User Guide
    • Environments
      • Create New Environment
    • Lenses Resource Names (LRNs)
    • Identity & Access Management
      • Overview
      • Users
      • Groups
      • Roles
      • Service Accounts
      • IAM Reference
      • Example Policies
    • Topics
      • Global Topic Catalogue
      • Environment Topic Catalogue
        • Finding topics & fields
        • Searching for messages
        • Inserting & deleting messages
        • Viewing topic metrics
        • Viewing topic partitions
        • Topic Settings
        • Adding metadata & tags to topics
        • Managing topic configurations
        • Approval requests
        • Downloading messages
        • Backup & Restore
    • SQL Studio
      • Concepts
      • Best practices
      • Filter by timestamp or offset
      • Creating & deleting Kafka topics
      • Filtering
      • Limit & Sampling
      • Joins
      • Inserting & deleting data
      • Aggregations
      • Metadata fields
      • Views & synonyms
      • Arrays
      • Managing queries
    • Applications
      • Connectors
        • Overview
        • Sources
        • Sinks
        • Secret Providers
      • SQL Processors
        • Concepts
        • Projections
        • Joins
        • Lateral Joins
        • Aggregations
        • Time & Windows
        • Storage format
        • Nullibility
        • Settings
      • External Applications
        • Registering via SDK
        • Registering via REST
    • Schemas
    • Monitoring & Alerting
      • Infrastructure Health
      • Alerting
        • Alert Reference
      • Integrations
      • Consumer Groups
    • Self Service & Governance
      • Data policies
      • Audits
      • Kafka ACLs
      • Kafka Quotas
    • Topology
    • Tutorials
      • SQL Processors
        • Data formats
          • Changing data formats
          • Rekeying data
          • Controlling AVRO record names and namespaces
          • Changing the shape of data
        • Filtering & Joins
          • Filtering data
          • Enriching data streams
          • Joining streams of data
          • Using multiple topics
        • Aggregations
          • Aggregating data in a table
          • Aggregating streams
          • Time window aggregations
        • Complex types
          • Unwrapping complex types
          • Working with Arrays
        • Controlling event time
      • SQL Studio
        • Querying data
        • Accessing headers
        • Deleting data from compacted topics
        • Working with JSON
    • SQL Reference
      • Expressions
      • Functions
        • Aggregate
          • AVG
          • BOTTOMK
          • COLLECT
          • COLLECT_UNIQUE
          • COUNT
          • FIRST
          • LAST
          • MAXK
          • MAXK_UNIQUE
          • MINK
          • MINK_UNIQUE
          • SUM
          • TOPK
        • Array
          • ELEMENT_OF
          • FLATTEN
          • IN_ARRAY
          • REPEAT
          • SIZEOF
          • ZIP_ALL
          • ZIP
        • Conditions
        • Conversion
        • Date & Time
          • CONVERT_DATETIME
          • DATE
          • DATETIME
          • EXTRACT_TIME
          • EXTRACT_DATE
          • FORMAT_DATE
          • FORMAT_TIME
          • FORMAT_TIMESTAMP
          • HOUR
          • MONTH_TEXT
          • MINUTE
          • MONTH
          • PARSE_DATE
          • PARSE_TIME_MILLIS
          • PARSE_TIME_MICROS
          • PARSE_TIMESTAMP_MILLIS
          • PARSE_TIMESTAMP_MICROS
          • SECOND
          • TIMESTAMP
          • TIME_MICROS
          • TIMESTAMP_MICROS
          • TIME_MILLIS
          • TIMESTAMP_MILLIS
          • TO_DATE
          • TO_DATETIME
          • TOMORROW
          • TO_TIMESTAMP
          • YEAR
          • YESTERDAY
        • Headers
          • HEADERASSTRING
          • HEADERASINT
          • HEADERASLONG
          • HEADERASDOUBLE
          • HEADERASFLOAT
          • HEADERKEYS
        • JSON
          • JSON_EXTRACT_FIRST
          • JSON_EXTRACT_ALL
        • Numeric
          • ABS
          • ACOS
          • ASIN
          • ATAN
          • CBRT
          • CEIL
          • COSH
          • COS
          • DEGREES
          • DISTANCE
          • FLOOR
          • MAX
          • MIN
          • MOD
          • NEG
          • POW
          • RADIANS
          • RANDINT
          • ROUND
          • SIGN
          • SINH
          • SIN
          • SQRT
          • TANH
          • TAN
        • Nulls
          • ISNULL
          • ISNOTNULL
          • COALESCE
          • AS_NULLABLE
          • AS_NON_NULLABLE
        • Obfuscation
          • ANONYMIZE
          • MASK
          • EMAIL
          • FIRST1
          • FIRST2
          • FIRST3
          • FIRST4
          • LAST1
          • LAST2
          • LAST3
          • LAST4
          • INITIALS
        • Offsets
        • Schema
          • TYPEOF
          • DUMP
        • String
          • ABBREVIATE
          • BASE64
          • CAPITALIZE
          • CENTER
          • CHOP
          • CONCAT
          • CONTAINS
          • DECODE64
          • DELETEWHITESPACE
          • DIGITS
          • DROPLEFT
          • DROPRIGHT
          • ENDSWITH
          • INDEXOF
          • LEN
          • LOWER
          • LPAD
          • MKSTRING
          • REGEXP
          • REGEX_MATCHES
          • REPLACE
          • REVERSE
          • RPAD
          • STARTSWITH
          • STRIPACCENTS
          • SUBSTR
          • SWAPCASE
          • TAKELEFT
          • TAKERIGHT
          • TRIM
          • TRUNCATE
          • UNCAPITALIZE
          • UPPER
          • UUID
        • User Defined Functions
        • User Defined Aggregate Functions
      • Deserializers
      • Supported data formats
        • Protobuf
  • Resources
    • Downloads
    • CLI
      • Environment Creation
    • API Reference
      • API Authentication
      • Websocket Spec
      • Lenses API Spec
        • Authentication
        • Environments
        • Users
        • Groups
        • Roles
        • Service Accounts
        • Meta
        • Settings
        • License
        • Topics
        • Applications
          • SQL Processors
          • Kafka Connectors
          • External Applications
        • Kafka ACLs & Quotas
        • Kafka Consumer Groups
        • Schema Registry
        • SQL Query Management
        • Data Policies
        • Alert Channels
        • Audit Channels
        • Provisioning State
        • Agent Metadata
        • Backup & Restore
        • As Code
Powered by GitBook
LogoLogo

Resources

  • Privacy
  • Cookies
  • Terms & Conditions
  • Community EULA

2024 © Lenses.io Ltd. Apache, Apache Kafka, Kafka and associated open source project names are trademarks of the Apache Software Foundation.

On this page
  • Admin
  • Full access for data namespace
  • Explore a data namespace
  • Connect Operator
  • Explicit no access to production
  • Developer access

Was this helpful?

Export as PDF
  1. User Guide
  2. Identity & Access Management

Example Policies

This section provides example IAM policies for Lenses.

These are only some sample policies to help you build your own

Admin

Full admin across all resources.

role
name: administrator
policy:
  - action: '*'
    resource: '*'
    effect: allow

Full access for data namespace

Allow full access for all services and resources beginning with blue.

role
name: blue-things
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:*/*/blue-*
      - kafka:consumer-group:*/*/blue-*
      - kafka:acl:*/*/*/user/blue-*
      - schemas:schema:*/*/blue-*
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/blue-*
      - sql-streaming:processor:*/*/*/blue-*
      - kubernetes:cluster:*/*
      - kubernetes:namespace:*/*/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert:*/*/blue-*
      - alerts:event:*/*/*
      - data-policies:policy:*/blue-*
    effect: allow

Explore a data namespace

Allow read only access for topics and schemas beginning with la.

role
name: public-data-explorer
policy:
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:environment:global*
    effect: allow
  - action:
      - kafka:ListTopics
      - kafka:ListTopicDependants
      - kafka:GetTopicDetails
      - kafka:ReadTopicData
    resource: kafka:topic:*/kafka/la-*
    effect: allow
  - action:
      - schemas:ListSchemas
      - schemas:ListSchemaDependants
      - schemas:GetSchemaDetails
    resource: schemas:schema:*/*/la-*
    effect: allow

Connect Operator

Allow operators to restart connectors and list & get IAM resource only.

No access to data!

role
name: global-connector-operator
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka-connect:List*
      - kafka-connect:GetClusterDetails
      - kafka-connect:GetConnectorDetails
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
    resource:
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/*
    effect: allow

Explicit no access to production

Explicitly deny access to environments with names starting with prod-.

roles
name: no-access-prod-name-prefix
policy:
  - action: environments:AccessEnvironment
    resource: environments:environment:prod-*
    effect: deny

Developer access

Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.

role
name: us-dev-permissions
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
    resource: environments:*
    effect: allow
  - action: environments:AccessEnvironment
    resource: environments:environment:us-dev
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:us-dev/*
      - kafka:consumer-group:us-dev/*
      - kafka:acl:us-dev/*
      - kafka:quota:us-dev/*
      - schemas:schema:us-dev/*
      - kafka-connect:cluster:us-dev/*
      - kafka-connect:connector:us-dev/*
      - sql-streaming:sql-processor:us-dev/*
      - kubernetes:cluster:us-dev/*
      - kubernetes:namespace:us-dev/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:channel:us-dev/*
      - alerts:event:us-dev/*
      - alerts:rule:us-dev/*
      - data-policies:policy:us-dev/*
    effect: allow
PreviousIAM ReferenceNextTopics

Last updated 8 days ago

Was this helpful?