kafbat UI
GithubDiscord
  • 🎓Overview
    • About
    • Features
    • Getting started
  • 🛣️Project
    • Code of Conduct
    • Roadmap
  • 🧱Development
    • 🤝🏻Contributing
    • Setting up git
    • Building
      • Prerequisites
      • With Docker
      • Without Docker
    • WIP: Testing
  • ⚡Quick Start
    • 🔍Prerequisites
      • Kafka Permissions
        • Standalone Kafka ACLs
        • MSK (+Serverless) Setup
    • Demo run
    • AWS Marketplace
    • Persisting config
    • K8s / Helm
  • 🛠️Configuration
    • Configuration wizard
    • Configuration file
    • Setup example configs
    • Helm charts
      • Quick start
      • Configuration
        • SSL example
      • Resource limits
      • Sticky sessions
    • Misc configuration properties
    • Complex configuration examples
      • Kraft mode + multiple brokers
    • Kafka secured with SSL
    • Authentication
      • For the UI
        • Basic Authentication
        • OAuth2
        • LDAP / Active Directory
        • SSO Guide (Deprecated)
      • For Kafka
        • AWS IAM
        • SASL_SCRAM
    • RBAC (Role based access control)
      • Supported Identity Providers
    • Data masking
    • Audit log
    • Serialization / SerDe
    • OpenDataDiscovery Integration
  • ❓FAQ
    • Common problems
    • MCP Server
    • FAQ
    • Authentication Issues
Powered by GitBook
On this page
  • Generic OAuth
  • Google
  • Github
  • Cognito
  • LDAP
  • Active Directory
  • Okta
  • GoAuthentic

Was this helpful?

Edit on GitHub
Export as PDF
  1. Configuration
  2. RBAC (Role based access control)

Supported Identity Providers

The list of supported auth providers for RBAC

PreviousRBAC (Role based access control)NextData masking

Last updated 4 months ago

Was this helpful?

Generic OAuth

Any OAuth provider not on the list of all providers below this one.

Set up the auth itself first, docs and . Don't forget "custom-params.type: oauth".

      subjects:
        - provider: oauth
          type: role
          value: "role-name"
        - provider: oauth
          type: user
          value: "zoidberg"

Google

Set up google auth

        - provider: oauth_google
          type: domain
          value: "memelord.lol"
        - provider: oauth_google
          type: user
          value: "kek@memelord.lol"

Github

        - provider: oauth_github
          type: organization
          value: "kafbat"
        - provider: oauth_github
          type: user
          value: "memelord"
        - provider: oauth_github
          type: team
          value: "kafbat/backend"

Cognito

        - provider: oauth_cognito
          type: user
          value: "zoidberg"
        - provider: oauth_cognito
          type: group
          value: "memelords"

LDAP

        - provider: ldap
          type: group
          value: "admin_staff"
        - provider: ldap
          type: user
          value: "pepega"

Active Directory

       - provider: ldap_ad
         type: group
         value: "admin_staff"
       - provider: ldap_ad
         type: user
         value: "zoidberg"

Okta

You can map Okta Groups to roles. First, confirm that your okta administrator has included the group claim or the groups will not be passed in the auth token.

Configure the role mapping to the okta group via generic provider mentioned above:

      subjects:
        - provider: oauth
          type: role
          value: "<okta-group-name>"

GoAuthentic

You can map GoAuthentic Groups to roles. First, confirm that your GoAuthentic administrator has included the profile claim or the groups will not be passed in the auth token.

Configure the role mapping to the GoAuthentic group via generic provider mentioned above:

      subjects:
        - provider: oauth
          type: role
          value: "<goauthentic-group-name>"

Set up github auth

Set up cognito auth

Set up LDAP auth

Ensure roles-field in the auth config is set to groups and that groups is included in the scope, see for more details.

Ensure roles-field in the auth config is set to groups and that profile is included in the scope, as groups are passed by default in the profile scope. See for more details.

🛠️
first
here
here
first
first
first
here
here