Cloud RBAC phase1 (#43)

* #2665 Cloud RBAC phase1 * add what's new item * edits * minor edit * doc edits * doc edits * doc edits * doc edits * doc edits * doc edits * doc edits * doc edits * doc edits * doc edits * fixing sytax for a different single-sourced file * incorporate feedback from Andres * update reader permissions, per Andres * change release date to October * edit pm cluster perms from Mateo's review * Update modules/security/pages/authorization/rbac.adoc Co-authored-by: Joyce Fee <[email protected]> * minor style edits * minor edits * fix link to C-Plane API, + to beta features list also moves to February release in What's New * style edit to What's New blurb * add closing punctuation --------- Co-authored-by: Joyce Fee <[email protected]>
redpanda-data · Feb 4, 2025 · e9e8b3c · e9e8b3c
1 parent 5804807
commit e9e8b3c
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 5 deletions.
diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
@@ -55,9 +55,10 @@
 ** xref:security:cloud-authentication.adoc[Authentication]
 ** xref:security:authorization/index.adoc[Authorization]
 *** xref:security:authorization/cloud-authorization.adoc[Cloud Authorization]
+*** xref:security:authorization/rbac.adoc[]
 *** xref:security:authorization/cloud-iam-policies.adoc[]
-*** xref:security:authorization/cloud-iam-policies-azure.adoc[]
 *** xref:security:authorization/cloud-iam-policies-gcp.adoc[]
+*** xref:security:authorization/cloud-iam-policies-azure.adoc[]
 ** xref:security:cloud-encryption.adoc[Encryption]
 ** xref:security:cloud-availability.adoc[Availability]
 ** xref:security:secrets.adoc[Secrets]

diff --git a/modules/get-started/pages/cloud-overview.adoc b/modules/get-started/pages/cloud-overview.adoc
@@ -324,6 +324,7 @@ Features in beta are available for testing and feedback. They are not covered by
 
 The following features are currently in beta in Redpanda Cloud:
 
+* Role-based access control (RBAC) in the control plane
 * Redpanda Connect for Serverless Standard and Serverless Pro
 * Cloud API
 * Redpanda Terraform provider

diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc
@@ -9,6 +9,10 @@ This page lists new features added in Redpanda Cloud.
 
 == February 2025
 
+=== Role-based access control (RBAC): beta
+
+With xref:security:authorization/rbac.adoc[RBAC], you can assign users access to specific resources in your Redpanda Cloud organization. For example, you could grant all users with a certain job title read access on the entire organization while limiting write access to only the non-production resource group. This alleviates the process of manually maintaining and verifying a set of ACLs for a large number of users.  
+
 === Cloud API reference
 
 The Cloud API reference is now provided as separate references for the xref:api:ROOT:cloud-controlplane-api.adoc[Control Plane API] and xref:api:ROOT:cloud-dataplane-api.adoc[Data Plane APIs]. The Control Plane API and Data Plane APIs follow separate OpenAPI specifications, so the reference is updated to better reflect the structure of the Cloud APIs and to improve usability of the documentation. See also: xref:manage:api/cloud-api-overview.adoc[].

diff --git a/modules/security/pages/authorization/cloud-authorization.adoc b/modules/security/pages/authorization/cloud-authorization.adoc
@@ -6,11 +6,10 @@ There are two types of authorization in Redpanda Cloud:
 
 * User authorization
 +
-User authorizations, managed by Kafka glossterm:ACL[,access control lists (ACLs)],
-grant users permission to perform specific types of operations on specific
-resources (such as topics, groups, clusters, or transactional IDs).
+** Use xref:security:authorization/rbac.adoc[role-based access control (RBAC)] to assign users access to specific resources in your Redpanda Cloud organization. For example, you could assign all users with a certain job title read access on the entire organization and write access only on your non-production resource group. You can define roles to reflect organizational structure or job duties. This alleviates the process of manually maintaining and verifying a set of ACLs for a user base that may contain thousands of users.
+** Use Kafka glossterm:ACL[,access control lists (ACLs)] to grant users permission to perform specific types of operations on specific resources (such as topics, groups, clusters, or transactional IDs).
 
-* Agent authorization
+* BYOC agent authorization
 +
 When deploying an agent as part of BYOC cluster
 provisioning, Redpanda Cloud automatically assigns IAM policies to the agent.

diff --git a/modules/security/pages/authorization/rbac.adoc b/modules/security/pages/authorization/rbac.adoc
@@ -0,0 +1,66 @@
+= Role-Based Access Control
+:description: Use role-based access control (RBAC) to manage access to resources in your organization, like clusters or resource groups.
+:page-categories: Management, Security
+:page-beta: true
+
+Use Redpanda Cloud role-based access control (RBAC) in the control plane to manage and restrict access to resources in your organization. For example, you could assign all users with a certain job title read access on the entire organization and write access only on your non-production resource group. The following resources can be assigned as the scope of a role: 
+
+- Organization 	
+- Resource groups
+- Networks
+- Network peerings
+- Clusters (Note: Serverless clusters have a different set of permissions from BYOC and Dedicated clusters.) 
+
+You can manage your RBAC configurations with the https://cloud.redpanda.com[Redpanda Cloud UI^] or with the xref:api:ROOT:cloud-controlplane-api.adoc[Control Plane API].
+
+== RBAC terminology
+
+**Role**: A role is a list of permissions. With RBAC, permissions are attached to roles. Users assigned multiple roles receive the union of all permissions defined in those roles. Redpanda Cloud has three predefined roles: Reader, Writer, and Admin.
+
+**Account**: An RBAC account is either a user account (human user) or a service account (machine or programmatic user).
+
+**Role binding**: Role binding assigns a role to an account. 
+
+== Manage access for organization
+
+In the Redpanda Cloud UI, the *Organization IAM* page lists your organization's existing users and service accounts and their associated roles. You can edit a user's access, invite new users, and create service accounts. When you add a user, you define their permissions with role binding. Service accounts are assigned the Admin role for all resources in the organization. 
+
+On the *Organization IAM - Users* page, select a user to see their assigned roles. For example, for a user with Admin access on the organization, the user's _Resource_ is the organization name, the _Scope_ is organization, and the _Role_ is Admin.
+
+Administrators can add, edit, or remove role bindings for a user. When you change the permissions for a given role, all users and service accounts with that role automatically get the modified permissions. 
+
+Users can have multiple roles, as long as they are each for a different resource and scope. For example, you could assign a user the Reader role on the organization, the Admin role on a specific resource group, and the Writer role on a specific cluster.
+
+When you delete a role, Redpanda removes it from any user or service account it is attached to, and permissions are revoked.
+
+== Predefined roles 
+
+Redpanda Cloud provides the following predefined roles: <<Reader,Reader>>, <<Writer,Writer>>, and <<Admin,Admin>>.
+
+=== Reader
+
+The Reader role grants permission to view all resources. This includes:
+
+* View all networks and clusters (Serverless, BYOC, and Dedicated).
+* View all cluster aspects (ACLs, service accounts, quotas).
+* View all topic aspects (messages, configs, partitions, using search filters).
+* View all consumer group aspects (consumer groups, group offsets, and lags).
+* View all schema registry aspects (registered schemas with their contents).
+* View all Kafka Connect aspects (list configured clusters and their connectors, including the status and connector configurations).
+* This does not include permission to view the list of users.
+
+=== Writer
+
+The Writer role grants all permissions that come with the Reader role and additionally includes:
+
+* Manage all topic aspects, such as create topics, edit topic configurations, delete topics, and publish and delete topic records.
+* Manage all consumer group aspects, such as edit group offsets and delete group offsets.
+* Manage all Kafka Connect aspects, such as create/update/delete and start/pause/stop Kafka Connect.
+* This does not include permission to create/remove ACLs and service accounts.
+
+=== Admin
+
+The Admin role grants all permissions that come with the Writer role and additionally includes:
+
+* Manage all service account aspects (create/remove service accounts).
+* Manage all ACL aspects (create/remove ACLs).