This page was originally written for Redpanda as part of the Group-Based Access Control (GBAC) feature. It is reproduced here as a portfolio writing sample.
Configure Group-Based Access Control
This feature requires an Enterprise Edition license on your cluster.
Group-based access control (GBAC) extends OIDC authentication to let you manage permissions at the group level instead of per user. You can grant permissions to groups in two ways: create ACLs with Group:<name> principals, or assign groups as members of RBAC roles. Both approaches can be used independently or together. Because group membership is managed by your identity provider (IdP), onboarding and offboarding require no changes in Redpanda.
After reading this page, you will be able to:
- Configure the cluster properties that enable GBAC
- Assign an OIDC group to an RBAC role
- Create a group-based ACL using the
Group:principal prefix
Prerequisites
- OIDC authentication must be configured and enabled on your cluster.
- Superuser access to configure cluster properties and manage ACLs.
- Enterprise Edition license on your cluster.
Assign groups to roles
Assigning a group to an RBAC role is the recommended pattern for managing permissions at scale. All users in the group inherit the role's ACLs automatically.
- rpk
- Redpanda Console
- Admin API
To assign a group to a role:
rpk security role assign <role-name> --group <group-name>
For example, to assign the engineering group to the DataEngineers role:
rpk security role assign DataEngineers --group engineering
To remove a group from a role:
rpk security role unassign <role-name> --group <group-name>
For example:
rpk security role unassign DataEngineers --group engineering
To assign a group to a role in Redpanda Console:
- From Security on the left navigation menu, select the Roles tab.
- Select the role you want to assign the group to.
- Click Edit.
- In the Principals section, enter the group name using the
Group:<name>format. For example,Group:engineering. - Click Update.
To remove a group from a role:
- From Security on the left navigation menu, select the Roles tab.
- Select the role that has the group assignment you want to remove.
- Click Edit.
- In the Principals section, remove the
Group:<name>entry. - Click Update.
These operations use the Admin API v2 SecurityService. Send all requests as POST with a JSON body.
To assign a group to a role, call AddRoleMembers:
curl -u <user>:<password> \
--request POST 'http://localhost:9644/redpanda.core.admin.v2.SecurityService/AddRoleMembers' \
--header 'Content-Type: application/json' \
--data '{
"roleName": "DataEngineers",
"members": [{"group": {"name": "engineering"}}]
}'
To remove a group from a role, call RemoveRoleMembers:
curl -u <user>:<password> \
--request POST 'http://localhost:9644/redpanda.core.admin.v2.SecurityService/RemoveRoleMembers' \
--header 'Content-Type: application/json' \
--data '{
"roleName": "DataEngineers",
"members": [{"group": {"name": "engineering"}}]
}'
Create group-based ACLs
You can grant permissions directly to a group by creating an ACL with a Group:<name> principal. This works the same as creating an ACL for a user, but uses the Group: prefix instead of User:.
- rpk
- Redpanda Console
To grant cluster-level access to the engineering group:
rpk security acl create --allow-principal Group:engineering --operation describe --cluster
To grant topic-level access:
rpk security acl create \
--allow-principal Group:engineering \
--operation read,describe \
--topic 'analytics-' \
--resource-pattern-type prefixed
If your groups use path-style names (with nested_group_behavior set to none), use the full path as the principal name:
rpk security acl create --allow-principal 'Group:/departments/eng/platform' --operation read --topic platform-data
To create an ACL for an OIDC group in Redpanda Console:
- From Security on the left navigation menu, select the Roles tab.
- Click Create role to open the role creation form, or select an existing role and click Edit.
- In the Principals field, enter the group principal using the
Group:<name>format. For example,Group:engineering. - Define the permissions (ACLs) you want to grant to users in the group. You can configure ACLs for clusters, topics, consumer groups, transactional IDs, Schema Registry subjects, and Schema Registry operations.
- Click Create (or Update if editing an existing role).
Redpanda Console assigns ACLs through roles. To grant permissions to a group, create a role for that group, add the group as a principal, and define the ACLs on the role. To create ACLs with a Group: principal directly (without creating a role), use rpk.
View groups and roles
List groups assigned to a role
- rpk
- Admin API
To see which groups are assigned to a role, use --print-groups:
rpk security role describe <role-name> --print-groups
For example:
rpk security role describe DataEngineers --print-groups
To list all roles assigned to a specific group:
rpk security role list --group <group-name>
For example:
rpk security role list --group engineering
These operations use the Admin API v2 SecurityService. Send all requests as POST with a JSON body.
To retrieve a role's details including all members (users and groups), call GetRole:
curl -u <user>:<password> \
--request POST 'http://localhost:9644/redpanda.core.admin.v2.SecurityService/GetRole' \
--header 'Content-Type: application/json' \
--data '{"name": "DataEngineers"}'
The response includes a members array with both user and group entries.
To list all roles, call ListRoles:
curl -u <user>:<password> \
--request POST 'http://localhost:9644/redpanda.core.admin.v2.SecurityService/ListRoles' \
--header 'Content-Type: application/json' \
--data '{}'
To verify how Redpanda resolves groups from an OIDC token, call ResolveOidcIdentity. Pass the token in the Authorization header. The response includes the resolved principal, token expiry, and a groups field listing all groups extracted from the token:
curl \
--request POST 'http://localhost:9644/redpanda.core.admin.v2.SecurityService/ResolveOidcIdentity' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <jwt-access-token>' \
--data '{}'