Skip to content

GBAC#1584

Open
paulohtb6 wants to merge 12 commits intov-WIP/26.1from
gbac
Open

GBAC#1584
paulohtb6 wants to merge 12 commits intov-WIP/26.1from
gbac

Conversation

@paulohtb6
Copy link
Contributor

@paulohtb6 paulohtb6 commented Feb 24, 2026
edited by kbatuigas
Loading

Description

Related PR to add Security to Admin API v2: redpanda-data/api-docs#60

This pull request introduces comprehensive documentation for Group-Based Access Control (GBAC) in Redpanda, detailing how permissions can now be assigned to OIDC groups in addition to individual users. It adds new conceptual and how-to guides, updates navigation, and describes configuration, usage patterns, and limitations for GBAC. It also documents new configuration properties relevant to group extraction from authentication tokens.

The most important changes are:

GBAC Documentation and How-to Guides:

  • Added a new how-to guide gbac.adoc under security/authorization, with detailed instructions, usage patterns, configuration, and examples for assigning groups to roles and creating group-based ACLs. [1] [2]
  • Added partials for UI-based group-to-role assignment (gbac-assign-group-role.adoc) and group ACL creation (gbac-create-group-acl.adoc). [1] [2]

Navigation and Discoverability:

  • Updated navigation (nav.adoc) to include GBAC under both Kubernetes and general security/authorization sections, making the new documentation easily discoverable. [1] [2]
  • Updated the main authorization index to mention group-based access control alongside ACLs and RBAC.

Release Notes and Feature Announcements:

  • Announced GBAC as a new feature in the release notes, summarizing its capabilities and usage patterns.
  • Documented two new configuration properties for GBAC: nested_group_behavior and oidc_group_claim_path.

OIDC Authentication Documentation:

  • Added a tip to the OIDC authentication documentation highlighting that GBAC can be used to assign permissions to groups, not just users.

Resolves DOC-1789
Review deadline: March 3rd

Page previews

Checks

  • New feature
  • Content gap
  • Support Follow-up
  • Small fix (typos, links, copyedits, etc)

@paulohtb6 paulohtb6 requested a review from a team as a code owner February 24, 2026 19:23
@netlify
Copy link

netlify bot commented Feb 24, 2026
edited
Loading

👷 Deploy Preview for redpanda-docs-preview processing.

Name Link
🔨 Latest commit edc9719
🔍 Latest deploy log https://app.netlify.com/projects/redpanda-docs-preview/deploys/69c1c4cc43d3190008eb7186

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 24, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d1dba507-bdf5-4966-8600-f328fb703a32

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch gbac

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@paulohtb6 paulohtb6 changed the title Gbac GBAC Feb 24, 2026
nguyen-andrew
nguyen-andrew reviewed Feb 26, 2026
View reviewed changes
Copy link
Member

@nguyen-andrew nguyen-andrew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far! Just some minor comments and questions

modules/manage/partials/gbac-dp.adoc Outdated
@@ -0,0 +1,336 @@
// tag::single-source[]

Group-based access control (GBAC) builds on xref:manage:security/authorization/rbac.adoc[role-based access control (RBAC)] to simplify permission management at scale. Instead of assigning roles or ACLs to individual users, you assign them to OIDC groups managed by your identity provider (IdP). Users inherit permissions from all groups reported in their OIDC token claims, so onboarding and offboarding require no changes in Redpanda.
Copy link
Member

@nguyen-andrew nguyen-andrew Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should mention OIDC earlier in the paragraph (like in the first sentence) so readers immediately understand that GBAC depends on OIDC being configured. I think the OIDC dependency could be easy to miss upfront until the reader reads further down (like the Prerequisites section).

modules/manage/partials/gbac-dp.adoc Outdated
Users with more than 200 group memberships in Azure AD receive a URL reference in their token instead of a list of group names. Redpanda does not follow that URL and cannot resolve groups in this case. Mitigation: filter token claims to include only the groups relevant to Redpanda.

Nested groups::
Redpanda does not recursively resolve nested group hierarchies. If group A contains group B, only the direct memberships reported in the token are used. Use `nested_group_behavior: suffix` to extract the last path segment from hierarchical group names when needed.
Copy link
Member

@nguyen-andrew nguyen-andrew Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a link to Customize token claim extraction#nested_group_behavior or the nested_group_behavior section in the cluster properties reference could be helpful here too, if possible.

treevon
treevon approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@treevon treevon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. The token extraction section is really nice with clear examples

modules/manage/partials/gbac-dp.adoc Outdated
== Prerequisites

* xref:manage:security/authentication.adoc#oidc[OIDC authentication] must be configured and enabled on your cluster.
* Superuser access to configure cluster properties and manage ACLs.
Copy link
Contributor

@treevon treevon Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit - this is a prerequisite to enable OIDC, so should appear first

modules/manage/partials/gbac-dp.adoc Outdated
--resource-pattern-type prefixed
----

If your groups use path-style names (with xref:reference:properties/cluster-properties.adoc#nested_group_behavior[`nested_group_behavior`] set to `none`), use the full path as the principal name:
Copy link
Contributor

@treevon treevon Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should move this to the section on claim extraction

nguyen-andrew
nguyen-andrew approved these changes Mar 9, 2026
View reviewed changes
Copy link
Member

@nguyen-andrew nguyen-andrew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kbatuigas kbatuigas kbatuigas left review comments

@nguyen-andrew nguyen-andrew nguyen-andrew approved these changes

+1 more reviewer

@treevon treevon treevon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@paulohtb6 @kbatuigas @nguyen-andrew @treevon