Skip to content

[ENG-724] rpk: add support of roles for cloud clusters #29162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
r-vasquez merged 1 commit into from
Jan 8, 2026
Merged

[ENG-724] rpk: add support of roles for cloud clusters #29162

r-vasquez merged 1 commit into from
Jan 8, 2026

Conversation

@r-vasquez
Copy link
Contributor

@r-vasquez r-vasquez commented Jan 6, 2026

This enables the Cloud's public API usage in rpk security role against cloud clusters.

This feature is not available in serverless yet, hence the check at the beginning of every command.

Sample commands

These are the same outputs as the self-hosted command, and it still supports the --format flag where it exists.

Create

$ rpk security role create test-role-2
Successfully created role "test-role-2"

ACLs can now be added to this role using
  rpk security acl create --allow-role "RedpandaRole:test-role-2" [acl-flags]

Check 'rpk security acl create --help' for more information about how to create
an ACL.

List

$ rpk security role list
NAME
test-role-2
test-role-1

$ rpk security role list --prefix test-role
NAME
test-role-yaml
test-role-with-hyphens
test-role-json
test-role-2
test-role-1

Assign

$ rpk security role assign test-role-1 --principal testuser1
Successfully assigned role "test-role-1" to
NAME       PRINCIPAL-TYPE
testuser1  User

$ rpk security role assign test-role-1 --principal testuser2,testuser3
Successfully assigned role "test-role-1" to
NAME       PRINCIPAL-TYPE
testuser2  User
testuser3  User

Describe

$ rpk security role describe test-role-1
PERMISSIONS
===========
PRINCIPAL                 HOST  RESOURCE-TYPE        RESOURCE-NAME  RESOURCE-PATTERN-TYPE          OPERATION       PERMISSION  ERROR
RedpandaRole:test-role-1  *     RESOURCE_TYPE_TOPIC  foo            RESOURCE_PATTERN_TYPE_LITERAL  OPERATION_READ  PERMISSION_TYPE_ALLOW

PRINCIPALS (2)
==============
NAME       TYPE
testuser6  User
testuser2  User

$ rpk security role describe test-role-1 --print-members
NAME       TYPE
testuser6  User
testuser2  User

Unassign

$ rpk security role unassign test-role-1 --principal testuser2,testuser3
Successfully unassigned role "test-role-1" from
NAME       PRINCIPAL-TYPE
testuser2  User
testuser3  User

Delete

$ rpk security role delete test-role-1 --no-confirm
PERMISSIONS
===========
PRINCIPAL                 HOST  RESOURCE-TYPE        RESOURCE-NAME  RESOURCE-PATTERN-TYPE          OPERATION       PERMISSION  ERROR
RedpandaRole:test-role-1  *     RESOURCE_TYPE_TOPIC  foo            RESOURCE_PATTERN_TYPE_LITERAL  OPERATION_READ  PERMISSION_TYPE_ALLOW

PRINCIPALS (0)
==============
NAME  TYPE
Successfully deleted role "test-role-1"

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v25.3.x
  • v25.2.x
  • v25.1.x

Release Notes

Features

  • rpk: rpk can now be used to create Redpanda roles in Redpanda Cloud using the rpk security role command.

Copilot AI review requested due to automatic review settings January 6, 2026 23:40
@r-vasquez r-vasquez requested review from a team and kbatuigas as code owners January 6, 2026 23:40
@r-vasquez r-vasquez requested review from graham-rp and removed request for a team January 6, 2026 23:40
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for Redpanda Cloud clusters to the rpk security role commands by integrating the Cloud's public API. The changes enable role management operations (create, list, assign, unassign, describe, delete) to work with both self-hosted clusters (via the Admin API) and Cloud clusters (via the public API), with a check to prevent usage on serverless clusters.

Key changes:

  • Adds Cloud API client initialization and separate code paths for Cloud vs. self-hosted clusters
  • Implements conversion functions between Admin API and Cloud API data structures
  • Updates all role commands to check cluster type and route to appropriate API

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/go/rpk/pkg/cli/security/role/BUILD Adds dependencies for Cloud API protobuf definitions and connect client
src/go/rpk/pkg/cli/security/role/role.go Adds conversion functions between Admin API RoleMember and Cloud API RoleMembership types
src/go/rpk/pkg/cli/security/role/create.go Adds Cloud API support for role creation with cluster type detection
src/go/rpk/pkg/cli/security/role/list.go Adds Cloud API support for listing roles with filter parameters
src/go/rpk/pkg/cli/security/role/assign.go Adds Cloud API support for assigning roles to principals
src/go/rpk/pkg/cli/security/role/unassign.go Adds Cloud API support for unassigning roles from principals
src/go/rpk/pkg/cli/security/role/describe.go Adds Cloud API support for describing roles including new describeAndPrintRoleCloud function
src/go/rpk/pkg/cli/security/role/delete.go Adds Cloud API support for deleting roles with confirmation prompt

src/go/rpk/pkg/cli/security/role/role.go
func roleMemberToMembership(members []rpadmin.RoleMember) []*dataplanev1.RoleMembership {
result := make([]*dataplanev1.RoleMembership, len(members))
for i, m := range members {
result[i] = &dataplanev1.RoleMembership{Principal: m.PrincipalType + ":" + m.Name}
Copy link

Copilot AI Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The string concatenation to build the principal format should be consistent with how it's parsed. Consider extracting a constant or function to ensure the format (e.g., "User:username") matches the expected parsing logic throughout the codebase.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@r-vasquez r-vasquez Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipping this one on purpose.

@r-vasquez r-vasquez force-pushed the ENG-724-rpk-roles-cloud branch from c22a748 to 1a24b28 Compare January 6, 2026 23:48
@vbotbuildovich
Copy link
Collaborator

vbotbuildovich commented Jan 7, 2026
edited
Loading

Retry command for Build#78613

please wait until all jobs are finished before running the slash command

/ci-repeat 1
skip-redpanda-build
skip-units
skip-rebase
tests/rptest/tests/cluster_recovery_test.py::ClusterRecoveryTest.test_basic_controller_snapshot_restore
tests/rptest/tests/rpk_role_test.py::RpkRoleTest.test_create_list_delete

@vbotbuildovich
Copy link
Collaborator

vbotbuildovich commented Jan 7, 2026
edited
Loading

CI test results

test results on build#78613
test_class test_method test_arguments test_kind job_url test_status passed reason test_history
ClusterRecoveryTest test_basic_controller_snapshot_restore null integration https://buildkite.com/redpanda/redpanda/builds/78613#019b95c7-8a24-4380-b3f4-b35dbf0b199d FAIL 0/11 Test FAILS after retries.Significant increase in flaky rate(baseline=0.0000, p0=0.0000, reject_threshold=0.0100) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=ClusterRecoveryTest&test_method=test_basic_controller_snapshot_restore
DatalakeDLQTest test_dlq_table_for_mixed_records {"catalog_type": "rest_jdbc", "cloud_storage_type": 1, "query_engine": "spark"} integration https://buildkite.com/redpanda/redpanda/builds/78613#019b95c7-8a21-443b-b175-9a0aa8fb88a4 FLAKY 10/11 Test PASSES after retries.No significant increase in flaky rate(baseline=0.0030, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=DatalakeDLQTest&test_method=test_dlq_table_for_mixed_records
RpkRoleTest test_create_list_delete null integration https://buildkite.com/redpanda/redpanda/builds/78613#019b95c7-8a23-47d8-a01f-bfd5a06173fd FAIL 0/11 Test FAILS after retries.Significant increase in flaky rate(baseline=0.0000, p0=0.0000, reject_threshold=0.0100) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=RpkRoleTest&test_method=test_create_list_delete
test results on build#78657
test_class test_method test_arguments test_kind job_url test_status passed reason test_history
LogCompactionTxRemovalUpgradeFrom25_3_1_Test test_tx_control_batch_removal_with_upgrade_and_recovery null integration https://buildkite.com/redpanda/redpanda/builds/78657#019b99ed-d97b-4e84-8dde-52d460d2c1b5 FLAKY 10/11 Test PASSES after retries.No significant increase in flaky rate(baseline=0.0067, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=LogCompactionTxRemovalUpgradeFrom25_3_1_Test&test_method=test_tx_control_batch_removal_with_upgrade_and_recovery
RedpandaNodeOperationsSmokeTest test_node_ops_smoke_test {"cloud_storage_type": 1, "mixed_versions": false} integration https://buildkite.com/redpanda/redpanda/builds/78657#019b99ed-d979-4d51-892f-46dd8cd9963f FLAKY 10/11 Test PASSES after retries.No significant increase in flaky rate(baseline=0.0745, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.2072, p1=0.0981, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=RedpandaNodeOperationsSmokeTest&test_method=test_node_ops_smoke_test
WriteCachingFailureInjectionE2ETest test_crash_all {"use_transactions": false} integration https://buildkite.com/redpanda/redpanda/builds/78657#019b99e8-83c3-48c3-81ed-9e4e97e3bf20 FLAKY 15/21 Test PASSES after retries.No significant increase in flaky rate(baseline=0.1148, p0=0.0709, reject_threshold=0.0100. adj_baseline=0.3063, p1=0.3926, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=WriteCachingFailureInjectionE2ETest&test_method=test_crash_all

@r-vasquez r-vasquez force-pushed the ENG-724-rpk-roles-cloud branch from 1a24b28 to 2cc8a23 Compare January 7, 2026 17:35
@r-vasquez
Copy link
Contributor Author

r-vasquez commented Jan 7, 2026
edited
Loading

Force Push:

  • Remove the parsing of principalType:Principal for the Cloud path, as the Dataplane API already handles this for us.
  • Initiate the role slice in list to prevent a null output in JSON/YAML formats. (Test failure caught this)

@r-vasquez
Copy link
Contributor Author

r-vasquez commented Jan 7, 2026

Cc: @micheleRP

graham-rp
graham-rp previously approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@graham-rp graham-rp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I'd really love to see this get a bit more testable, but I don't think that'd be hugely valuable for this specific set of commands

src/go/rpk/pkg/cli/security/role/describe.go Outdated
RoleName: roleName,
}))
if err != nil {
return fmt.Errorf("unable to retrieve role %q: %v", roleName, err)
Copy link
Contributor

@graham-rp graham-rp Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return fmt.Errorf("unable to retrieve role %q: %v", roleName, err)
return fmt.Errorf("unable to retrieve role %q: %w", roleName, err)

nit: I don't think it particularly matters here, but %w would allow us to unwrap the error down the line if need be

src/go/rpk/pkg/cli/security/role/role.go Outdated
Comment on lines 80 to 82
if memberships == nil {
return []rpadmin.RoleMember{}
}
Copy link
Contributor

@graham-rp graham-rp Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
if memberships == nil {
return []rpadmin.RoleMember{}
}

Copy link
Contributor Author

@r-vasquez r-vasquez Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I removed it from roleMemberToMembership but not from here 👍

@r-vasquez
rpk: add support of roles for cloud clusters
0b378d4 
This enables the Cloud's public API usage in
rpk security role against cloud clusters.

This feature is not available in serverless yet,
hence the check at the beginning of every command.
@r-vasquez r-vasquez force-pushed the ENG-724-rpk-roles-cloud branch from 2cc8a23 to 0b378d4 Compare January 7, 2026 19:04
@r-vasquez
Copy link
Contributor Author

r-vasquez commented Jan 7, 2026

Force Push:

@r-vasquez r-vasquez merged commit 520a69e into redpanda-data:dev Jan 8, 2026
26 checks passed
@r-vasquez
Copy link
Contributor Author

r-vasquez commented Jan 9, 2026

/backport v25.3.x

@vbotbuildovich vbotbuildovich mentioned this pull request Jan 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@graham-rp graham-rp graham-rp approved these changes

@kbatuigas kbatuigas Awaiting requested review from kbatuigas kbatuigas is a code owner

Assignees

No one assigned

Labels

area/build area/rpk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@r-vasquez @vbotbuildovich @graham-rp