Lenses implements a data namespace security approach to support multi-tenant setups with fine-grained access control on data, apps and admin features. In this guide you'll get an overview of Lenses security system. Some security features subject to your subscription plan.
Lenses provides a rich and flexible fine-grained security model to protect resources and shape teams and projects. To implement it, you need to create Groups and assign User or Service accounts to each group. Groups maintain the authorisation rules in Namespaces, scoped and admin functions. Authentication may be supported via Basic Authentication or and external authentication provider such as LDAP, SSO provider, and Kerberos.
Groups
User
Service
Namespaces
Basic Authentication
The process to add users:
There are three categories of permissions in Groups:
Namespace is a collection of datasets, described by naming conventions and the associated permissions. If a User belongs to multiple Groups, his permissions are set according to the aggregated namespaces. There is wildcard support for prefix/suffix or dataset names ie: transactionTopic, *transactions, transactions*, *transactions*
transactionTopic
*transactions
transactions*
*transactions*
The Namespaces are defined by the combination of:
topicName
topicName*
*topicName
Kafka is a primary data source in Lenses. It provides granular permissions on different elements of Topics and administration.
Additionally, Lenses recently introduced Elasticsearch and coming soon PostgresSQL and other sources in order to expand the real-time data catalog and provide a holistic view of the data pipelines for Kafka developers.
Datasets from additional sources are also supported by Lenses security system.
Lenses administrator can set up multiple Namespaces for each group with fine permissions for the data topics.
By doing so, you are able to describe your projects & teams but also achieve better sharing of data among them.
Examples:
Users in groupA can manage TopicA (insert/delete/configure etc) but have read only view to TopicB.
Users in groupA can View, Insert or Delete data for topics starting from payments but only the users in groupB have the topics admin actions (Create/Delete/Configure), but not be able to view the data.
payments
Namespaces affect which part of the world Users can interact with. Data is also used by Applications, ie. connectors and processors, are protected by the namespaces scope.
An Application reads, writes or processes data from datasets. Applications in Lenses can be Kafka Connectors, SQL processors, External Apps or Kafka Consumers.
In a multi tenant environment, users are enabled to manage applications in the scope of their projects
This type of scoped application permissions are affected by the summary of the Namespaces to offer a better control over your pipelines. We enhance the capabilities of the Groups to selectively have View or Manage control for different features.
Users in groupA can view the Connectors related to their topics, but won’t be able to control them (create, delete, restart etc)
Uses in groupA can manage Consumers (ie reset or skip offsets) for the topics they have in their Namespace.
Admin permissions refer to activities that are in the global scope of a Lenses setup and affects all the related entities.
Admin permissions allow critical actions to be finer grouped for administrators, but also control which features of Lenses will be available to the end users of each group.
Users with Kafka Settings permission can add or remove Kafka ACLs and Quotas.
Users with Data Policies can add protection masking policies to fields of topics
View and Manage permissions are available for the Scoped and Admin categories of the group.
On this page
