You manage role-based access control (RBAC) for {product} through your {astra_db} organization. For information about {astra_db} RBAC, including default roles, custom roles, permissions, and user management, see astra-db-serverless:administration:manage-database-access.adoc.
Permissions specific to {product} include the following:
-
Manage Streaming (
org-stream-manage): View, add, edit, or remove Astra Streaming configurations.
There are no default {astra_db} roles specifically scoped to {product}. However, the following default roles have the Manage Streaming permission:
-
Organization Administrator
-
Administrator Service Account
-
API Administrator Service Account
-
API Administrator User
For information about permissions assigned to default roles, see astra-db-serverless:administration:manage-database-access.adoc.
If you create custom roles for {product}, those roles must have the following permissions, at minimum:
-
Manage Streaming (
org-stream-manage): View and manage {product} in the {astra_ui}. -
View DB (
org-db-view): View the {astra_ui} in general.
Additional permissions might be required, depending on the tasks the role needs to perform.
|
Tip
|
To control access to specific streaming tenants, you can set granular resource scopes on custom roles. |
{pulsar-short} has the concept of clients with role tokens. In {pulsar-short}, authentication is the process of verifying a provided token (JWT), and authorization is the process of determining if the role claimed in that token is allowed to complete the requested action.
{product} uses the {company} version of {pulsar} (Luna Streaming). The Luna project is an open fork of the {pulsar-short} project that maintains feature parity with OSS {pulsar-short}. {product}, as a managed service, abstracts some features/options of {pulsar-short} to ensure continuous, reliable service.
On a shared cluster, your {astra_db} organization has one or more tenants on a shared {pulsar-short} cluster. Each of your tenants is secured by {pulsar-short} authentication and authorization models, as well as your {astra_db} organization’s authentication and authorization ({astra_db} RBAC).
{product} shared clusters are created and administered by {product} administrators. Each tenant is assigned a custom role and permissions limited to that tenant only. All tokens created within a tenant are assigned roles similar to the assigning tenant.
For programmatic access, you use {astra_db} application tokens or {pulsar-short} JWT, depending on the operation you need to perform. For more information, see operations:astream-token-gen.adoc.