From 46c2af34148a3cbc54822b339fa6e1525958ca24 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:07:54 -0600 Subject: [PATCH 1/6] DOC-2123: Update Console ACL UI references for new atomic-ACL design Refresh single-sourced ACL/RBAC content and self-managed Console references ahead of Console's new Security page (atomic 1-row=1-ACL model, role-inherited ACLs shown inline, regex filter on lists). - acl.adoc: add [[manage-acls]] and [[create-first-acl]] anchors so Console empty-state CTAs can deep-link; rewrite the manage-via-UI bullet to describe the new atomic ACL form; add a regex filter tip. - rbac-list-role/rbac-describe-role partials: explain that the filter input accepts a regex, with an example. - quick-start.adoc: replace the stale "Access control page" wording with "Security > Roles". - console/pages/index.adoc: rewrite the "Visual ACL management" bullet to mention atomic ACL editing and inline role-inherited permissions; add a separate RBAC bullet. - deploy-kafka-connect.adoc: "Security tab" -> "Security > Users". Inline // TODO DOC-2123 comments mark spots that need final confirmation from Jan/Martin once the new Security page ships. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/console/pages/index.adoc | 3 ++- .../deploy/pages/kafka-connect/deploy-kafka-connect.adoc | 2 +- modules/get-started/pages/quick-start.adoc | 3 ++- modules/manage/pages/security/authorization/acl.adoc | 6 +++++- modules/manage/partials/rbac-describe-role.adoc | 2 +- modules/manage/partials/rbac-list-role.adoc | 2 +- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/modules/console/pages/index.adoc b/modules/console/pages/index.adoc index d6dd75943c..e64a7ed4bd 100644 --- a/modules/console/pages/index.adoc +++ b/modules/console/pages/index.adoc @@ -34,7 +34,8 @@ image::topic.png[] Manage Redpanda users and control who has access to Redpanda Console: -* *Visual ACL management*: Create, view, and manage ACLs, ensuring that your data is secure and access is properly controlled. +* *Visual ACL management*: Create, view, and edit individual ACLs, with role-inherited permissions shown inline so you can see exactly what each principal is authorized to do. +* *Role-based access control*: Group permissions into roles and assign roles to users or OIDC groups; manage role membership from a dedicated role page. * *Rotate credentials*: Update user and service account passwords to maintain security without downtime. * *Identity provider integration*: For enterprise users, Redpanda Console integrates with identity providers (IdPs) for single sign-on (SSO), making user management straightforward and secure. diff --git a/modules/deploy/pages/kafka-connect/deploy-kafka-connect.adoc b/modules/deploy/pages/kafka-connect/deploy-kafka-connect.adoc index ea2fcfe3ad..9fbc39cfd4 100644 --- a/modules/deploy/pages/kafka-connect/deploy-kafka-connect.adoc +++ b/modules/deploy/pages/kafka-connect/deploy-kafka-connect.adoc @@ -292,7 +292,7 @@ curl localhost:8083/ To connect to a Redpanda Cloud cluster with Docker Compose: -. Use `rpk` or Redpanda Console (*Security* tab) to create a Redpanda user. +. Use `rpk` or Redpanda Console (*Security* > *Users*) to create a Redpanda user. . Create ACLs for the user. . Set the username in the `CONNECT_SASL_USERNAME` property. . Create a file containing the user password (for example, in the path `passwords/redpanda-password/password`). Specify this path in the `CONNECT_SASL_PASSWORD_FILE` property. diff --git a/modules/get-started/pages/quick-start.adoc b/modules/get-started/pages/quick-start.adoc index 5173dcd955..2115c22b27 100644 --- a/modules/get-started/pages/quick-start.adoc +++ b/modules/get-started/pages/quick-start.adoc @@ -286,7 +286,8 @@ image::console:user.png[] Click *Done*, and you see a new user called Sasha. This user has no permissions yet. To set permissions on the `transactions` topic: -. On the Access control page, open to the *Roles* tab. +// TODO DOC-2123: verify Roles form labels (resource selector, Operations control, Principals selector) against the shipped Console v3 Security page once Jan's PR lands. +. From *Security* in the left navigation menu, go to *Roles*. . Click *Create role*. . Enter "transaction-managers" as the role name. . In the topic selector dropdown, select *Literal* and enter "transactions" in the input field. diff --git a/modules/manage/pages/security/authorization/acl.adoc b/modules/manage/pages/security/authorization/acl.adoc index 118147afcd..664da8bbf3 100644 --- a/modules/manage/pages/security/authorization/acl.adoc +++ b/modules/manage/pages/security/authorization/acl.adoc @@ -32,11 +32,15 @@ ACLs control access by defining: ACLs work with SASL/SCRAM and mTLS authentication methods to provide comprehensive security. +[[manage-acls]] == Manage ACLs You can create and manage ACLs in the following ways: -* *{ui}*: Select *Security* from the left navigation menu, select the *ACLs* tab. After the ACL is created, you can add users or roles to it. +[[create-first-acl]] +* *{ui}*: From *Security* in the left navigation menu, go to *ACLs* and click *Create ACL*. Each ACL is a single rule with one principal (user, role, or group), one operation (or `All`), one resource pattern, and one host. Use the filter at the top of the list to narrow ACLs by name. The filter accepts a regular expression, for example `^prod-` matches every resource starting with `prod-`. ++ +// TODO DOC-2123: confirm exact path/label for the ACLs list once Jan ships the new Security page; expected route is `/security/acls`. * *Command Line*: Use the `rpk` command-line tool for programmatic management. + For example, suppose you want to create a user named `analytics-user` who can read from topics starting with `logs-` and write to a topic called `processed-data`: diff --git a/modules/manage/partials/rbac-describe-role.adoc b/modules/manage/partials/rbac-describe-role.adoc index ba6e1e1a69..e60a527168 100644 --- a/modules/manage/partials/rbac-describe-role.adoc +++ b/modules/manage/partials/rbac-describe-role.adoc @@ -4,4 +4,4 @@ To view details of an existing role: 2. Find the role you want to view and click the role name. -All roles are listed in a paginated view. You can also filter the view using the input field at the top of the list. \ No newline at end of file +All roles are listed in a paginated view. The filter input at the top of the list accepts a regular expression, for example `^data-` matches every role name starting with `data-`. \ No newline at end of file diff --git a/modules/manage/partials/rbac-list-role.adoc b/modules/manage/partials/rbac-list-role.adoc index 7d00a9e27c..15b36bdb0b 100644 --- a/modules/manage/partials/rbac-list-role.adoc +++ b/modules/manage/partials/rbac-list-role.adoc @@ -2,4 +2,4 @@ To view all existing roles: . From *Security* on the left navigation menu, select the *Roles* tab. + -All roles are listed in a paginated view. You can also filter the view using the input field at the top of the list. \ No newline at end of file +All roles are listed in a paginated view. The filter input at the top of the list accepts a regular expression, for example `^data-` matches every role name starting with `data-`. \ No newline at end of file From 440b6c7b5f4733dbe9a7d7169b63895e23beae43 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:37:10 -0600 Subject: [PATCH 2/6] =?UTF-8?q?DOC-2123:=20Fix=20Security=20page=20model?= =?UTF-8?q?=20=E2=80=94=20ACLs=20are=20per-principal,=20not=20standalone?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous commit assumed a standalone /security/acls list page based on URL extrapolation; the shipped Console build (per Jan's recorded demo) has only Users / Roles / Permissions tabs. ACLs are managed from a principal's detail page. Rewrite the manage-via-UI bullet in acl.adoc to: - describe the per-principal flow (open a user or role, find the ACLs section on the detail page, one row per rule) - name the three actual actions: + Add ACL, Allow all operations, Delete selected (bulk) - drop the wrong "Security > ACLs, Create ACL" path - drop the regex filter tip (filtering happens on the Users/Roles list, not on a standalone ACLs view) The [[create-first-acl]] anchor stays so Console can still deep-link. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/manage/pages/security/authorization/acl.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/manage/pages/security/authorization/acl.adoc b/modules/manage/pages/security/authorization/acl.adoc index 664da8bbf3..a8f7b2e2e5 100644 --- a/modules/manage/pages/security/authorization/acl.adoc +++ b/modules/manage/pages/security/authorization/acl.adoc @@ -38,9 +38,11 @@ ACLs work with SASL/SCRAM and mTLS authentication methods to provide comprehensi You can create and manage ACLs in the following ways: [[create-first-acl]] -* *{ui}*: From *Security* in the left navigation menu, go to *ACLs* and click *Create ACL*. Each ACL is a single rule with one principal (user, role, or group), one operation (or `All`), one resource pattern, and one host. Use the filter at the top of the list to narrow ACLs by name. The filter accepts a regular expression, for example `^prod-` matches every resource starting with `prod-`. +* *{ui}*: ACLs are managed per principal. From *Security* in the left navigation menu, go to *Users* or *Roles* and open the principal you want to grant access to. On the principal's detail page, the *ACLs* section lists every rule that applies to that principal — one row per ACL, with columns for type, resource, operation, permission, and host. From here you can: + -// TODO DOC-2123: confirm exact path/label for the ACLs list once Jan ships the new Security page; expected route is `/security/acls`. +** Click *+ Add ACL* to define one rule (resource type, pattern type, resource name, operation, permission, host). +** Click *Allow all operations* to grant the principal full access across all resource types in a single step — useful for testing, but too broad for production. +** Select one or more rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. * *Command Line*: Use the `rpk` command-line tool for programmatic management. + For example, suppose you want to create a user named `analytics-user` who can read from topics starting with `logs-` and write to a topic called `processed-data`: From 34b3e82e6941e2121b5971a00c0fe8b296ad7e71 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:40:28 -0600 Subject: [PATCH 3/6] DOC-2123: Add Permissions tab + split role-creation flow The Security page has three tabs: Users / Roles / Permissions. Two of the things I had wrong: 1. ACL creation is also reachable from the Permissions tab, which is the cluster-wide unified view at /security/permissions-list. Expanding a principal's row shows direct ACLs followed by sections labeled "VIA ROLE: " for each role they inherit from. Deny rules are highlighted in red. 2. Role creation is no longer a single bundled form. The Create role modal asks only for the name; after submit, the role's detail page opens with empty ACLs and Principals sections that you populate afterwards (same + Add ACL / Allow all operations / Add a principal pattern as the user detail page). Update acl.adoc and rbac-create-role.adoc accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../manage/pages/security/authorization/acl.adoc | 9 +++++++-- modules/manage/partials/rbac-create-role.adoc | 14 +++++++------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/modules/manage/pages/security/authorization/acl.adoc b/modules/manage/pages/security/authorization/acl.adoc index a8f7b2e2e5..e92e9022d0 100644 --- a/modules/manage/pages/security/authorization/acl.adoc +++ b/modules/manage/pages/security/authorization/acl.adoc @@ -38,10 +38,15 @@ ACLs work with SASL/SCRAM and mTLS authentication methods to provide comprehensi You can create and manage ACLs in the following ways: [[create-first-acl]] -* *{ui}*: ACLs are managed per principal. From *Security* in the left navigation menu, go to *Users* or *Roles* and open the principal you want to grant access to. On the principal's detail page, the *ACLs* section lists every rule that applies to that principal — one row per ACL, with columns for type, resource, operation, permission, and host. From here you can: +* *{ui}*: From *Security* in the left navigation menu, you can reach ACLs two ways: ++ +** *Permissions* tab — a unified, cluster-wide view of every principal with at least one ACL, showing direct ACL counts and ACLs inherited from roles. A red badge marks any principal that has Deny rules. Expand a row to see every ACL applied to that principal: direct rules first, then groups labeled *VIA ROLE: * listing the ACLs inherited from each role. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch. +** *Users* or *Roles* tab — open the principal you want to manage, and use the *ACLs* section on its detail page. ++ +On a principal's detail page, the *ACLs* section lists one row per rule (type, resource, operation, permission, host) and offers three actions: + ** Click *+ Add ACL* to define one rule (resource type, pattern type, resource name, operation, permission, host). -** Click *Allow all operations* to grant the principal full access across all resource types in a single step — useful for testing, but too broad for production. +** Click *Allow all operations* to grant full wildcard access across all resource types in a single step — useful for testing, but too broad for production. ** Select one or more rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. * *Command Line*: Use the `rpk` command-line tool for programmatic management. + diff --git a/modules/manage/partials/rbac-create-role.adoc b/modules/manage/partials/rbac-create-role.adoc index 483cd89225..0ffe5d1917 100644 --- a/modules/manage/partials/rbac-create-role.adoc +++ b/modules/manage/partials/rbac-create-role.adoc @@ -2,13 +2,13 @@ To create a new role: . From *Security* on the left navigation menu, select the *Roles* tab. -. Click *Create role*. - -. Provide a name for the role and an optional origin host for users to connect from. - -. Define the permissions (ACLs) for the role. You can create ACLs for clusters, topics, consumer groups, transactional IDs, Schema Registry subjects, and Schema Registry operations. +. Click *Create role*, provide a name for the role, and click *Create*. ++ +The role's detail page opens with empty *ACLs* and *Principals* sections. +. Under *ACLs*, define the role's permissions: + -TIP: You can assign more than one user/principal to the role when creating it. +** Click *+ Add ACL* to define a single rule (resource type, pattern type, resource name, operation, permission, host). Repeat for each permission the role needs. +** Or click *Allow all operations* to grant the role full wildcard access across all resource types in a single step. Use this for quick testing only. -. Click *Create*. \ No newline at end of file +. Under *Principals*, use the *Add a principal* search to assign one or more users (or `Group:` entries for OIDC groups) to the role. \ No newline at end of file From 215eb1641b55e30fbf11cca3a902b2845a6b5f78 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:42:39 -0600 Subject: [PATCH 4/6] DOC-2123: Drop Edit/Update modal pattern from RBAC and GBAC partials The new Security page has no Edit / Update flow. On a user's or role's detail page, you interact with sections directly: - Roles section uses an "Assign a role..." autocomplete to add and a trash icon per row to remove. Same pattern on the role detail page for Principals ("Add a principal..."). - ACLs section uses + Add ACL / Allow all operations / Delete selected (bulk via row checkboxes). Changes apply immediately. Update the rbac-edit-role, rbac-assign-role, rbac-unassign-role, rbac-delete-role, gbac-assign-group-role, and gbac-create-group-acl partials to match. Also update the quick-start to walk the unbundled "create role, then add ACL on detail page, then assign principal" flow. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/get-started/pages/quick-start.adoc | 19 +++++++++++------- .../partials/gbac-assign-group-role.adoc | 16 ++++----------- .../partials/gbac-create-group-acl.adoc | 8 +++----- modules/manage/partials/rbac-assign-role.adoc | 18 +++++++---------- modules/manage/partials/rbac-delete-role.adoc | 6 +++--- modules/manage/partials/rbac-edit-role.adoc | 12 ++++++----- .../manage/partials/rbac-unassign-role.adoc | 20 +++++++------------ 7 files changed, 43 insertions(+), 56 deletions(-) diff --git a/modules/get-started/pages/quick-start.adoc b/modules/get-started/pages/quick-start.adoc index 2115c22b27..205c8762f7 100644 --- a/modules/get-started/pages/quick-start.adoc +++ b/modules/get-started/pages/quick-start.adoc @@ -286,14 +286,19 @@ image::console:user.png[] Click *Done*, and you see a new user called Sasha. This user has no permissions yet. To set permissions on the `transactions` topic: -// TODO DOC-2123: verify Roles form labels (resource selector, Operations control, Principals selector) against the shipped Console v3 Security page once Jan's PR lands. . From *Security* in the left navigation menu, go to *Roles*. -. Click *Create role*. -. Enter "transaction-managers" as the role name. -. In the topic selector dropdown, select *Literal* and enter "transactions" in the input field. -. Under *Operations*, click the *All* dropdown and select *Allow*. -. Scroll down to the bottom of the page and under *Principals* select *Sasha* from the dropdown. -. Click *Create*. +. Click *Create role*, enter "transaction-managers" as the role name, and click *Create*. The role's detail page opens with empty *ACLs* and *Principals* sections. +. Under *ACLs*, click *+ Add ACL* and define a rule: ++ +- *Resource Type*: Topic +- *Pattern Type*: Literal +- *Resource Name*: `transactions` +- *Operation*: All +- *Permission*: Allow +- *Host*: `*` ++ +Then click *Add ACL*. +. Under *Principals*, in the *Add a principal* search, select *Sasha*. The assignment takes effect immediately. Now Sasha has full access only to the topic called transactions. diff --git a/modules/manage/partials/gbac-assign-group-role.adoc b/modules/manage/partials/gbac-assign-group-role.adoc index 74ed8e1895..eb6d4ff74a 100644 --- a/modules/manage/partials/gbac-assign-group-role.adoc +++ b/modules/manage/partials/gbac-assign-group-role.adoc @@ -2,22 +2,14 @@ To assign a group to a role in {ui}: . From *Security* on the left navigation menu, select the *Roles* tab. -. Select the role you want to assign the group to. +. Click the role you want to assign the group to. -. Click *Edit*. - -. For *User/principal*, enter the group name using the `Group:` format. For example, `Group:engineering`. - -. Click *Update*. +. Under *Principals*, use the *Add a principal* search to add an entry in the `Group:` format. For example, `Group:engineering`. The assignment takes effect immediately. To remove a group from a role: . From *Security* on the left navigation menu, select the *Roles* tab. -. Select the role that has the group assignment you want to remove. - -. Click *Edit*. - -. For *User/principal*, remove the `Group:` entry. +. Click the role that has the group assignment you want to remove. -. Click *Update*. +. Under *Principals*, click the trash icon next to the `Group:` entry. The removal takes effect immediately. diff --git a/modules/manage/partials/gbac-create-group-acl.adoc b/modules/manage/partials/gbac-create-group-acl.adoc index 17576009f8..6101012738 100644 --- a/modules/manage/partials/gbac-create-group-acl.adoc +++ b/modules/manage/partials/gbac-create-group-acl.adoc @@ -2,12 +2,10 @@ In {ui}, group-based ACLs are managed through roles. To create an ACL for an OID . From *Security* on the left navigation menu, select the *Roles* tab. -. Click *Create role* to open the role creation form, or select an existing role and click *Edit*. +. Either click *Create role* (provide a name, click *Create*) or click an existing role to open its detail page. -. For *User/principal*, enter the group principal using the `Group:` format. For example, `Group:engineering`. +. Under *Principals*, use the *Add a principal* search to add the group principal in the `Group:` format. For example, `Group:engineering`. -. Define the permissions (ACLs) you want to grant to users in the group. You can configure ACLs for clusters, topics, consumer groups, transactional IDs, Schema Registry subjects, and Schema Registry operations. - -. Click *Create* (or *Update* if editing an existing role). +. Under *ACLs*, click *+ Add ACL* to add each rule the group needs (resource type, pattern type, resource name, operation, permission, host), or click *Allow all operations* for full wildcard access. NOTE: {ui} assigns ACLs through roles. To grant permissions to a group, create a role for that group, add the group as a principal, and define the ACLs on the role. To create ACLs with a `Group:` principal directly (without creating a role), use `rpk`. diff --git a/modules/manage/partials/rbac-assign-role.adoc b/modules/manage/partials/rbac-assign-role.adoc index 97c415c622..2aaf11777b 100644 --- a/modules/manage/partials/rbac-assign-role.adoc +++ b/modules/manage/partials/rbac-assign-role.adoc @@ -1,21 +1,17 @@ -To assign a role to a principal, edit the role or edit the user. +You can assign a role from either side: open the role and add a principal, or open the user and assign the role. -Option 1: Edit the role +Option 1: From the role's detail page . From *Security* on the left navigation menu, select the *Roles* tab. -. Select the role you want to assign to one or more users/principals. +. Click the role you want to assign. -. Click *Edit*. +. Under *Principals*, use the *Add a principal* search to select one or more users (or `Group:` entries for OIDC groups). Each selection takes effect immediately. -. Below the list of permissions, find the Principals section. You can add any number of users/principals to the role. After listing all new users/principals, click *Update*. - -Option 2: Edit the user +Option 2: From the user's detail page . From *Security* on the left navigation menu, select the *Users* tab. -. Select the user you want to assign one or more roles to. - -. In the *Assign roles* input field, select the roles you want to add to this user. +. Click the user you want to assign roles to. -. After adding all roles, click *Update*. \ No newline at end of file +. Under *Roles*, use the *Assign a role* search to select one or more roles. Each selection takes effect immediately. \ No newline at end of file diff --git a/modules/manage/partials/rbac-delete-role.adoc b/modules/manage/partials/rbac-delete-role.adoc index ecb9f8fbf6..bcd7792c94 100644 --- a/modules/manage/partials/rbac-delete-role.adoc +++ b/modules/manage/partials/rbac-delete-role.adoc @@ -2,8 +2,8 @@ To delete an existing role: . From *Security* on the left navigation menu, select the *Roles* tab. -. Click the role you want to delete. This shows all currently assigned permissions (ACLs) and principals (users). +. Click the role you want to delete. The detail page shows all currently assigned ACLs and principals. -. Click *Delete*. +. Click *Delete role*, then confirm the deletion. -. Click *Delete*. \ No newline at end of file +// TODO DOC-2123: confirm exact button label ("Delete role" vs "Delete") on the role detail page once the new UI ships. \ No newline at end of file diff --git a/modules/manage/partials/rbac-edit-role.adoc b/modules/manage/partials/rbac-edit-role.adoc index 5102715af9..c84da72e6f 100644 --- a/modules/manage/partials/rbac-edit-role.adoc +++ b/modules/manage/partials/rbac-edit-role.adoc @@ -2,10 +2,12 @@ To edit the ACLs for an existing role: . From *Security* on the left navigation menu, select the *Roles* tab. -. Select the role you want to edit and click *Edit*. +. Click the role you want to edit. The role's detail page opens with the role's ACLs and assigned principals. -. While editing the role, you can update the optional origin host for users to connect from. +. Under *ACLs*, you can: ++ +** Click *+ Add ACL* to add a new rule (resource type, pattern type, resource name, operation, permission, host). +** Click *Allow all operations* to grant the role full wildcard access across all resource types. +** Select one or more rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. -. You can add or remove ACLs for the role. As when creating a new role, you can create or modify ACLs for topics, consumer groups, transactional IDs, Schema Registry subjects, and Schema Registry operations. - -. After making all changes, click *Update*. \ No newline at end of file +Changes apply immediately — there is no separate save step. \ No newline at end of file diff --git a/modules/manage/partials/rbac-unassign-role.adoc b/modules/manage/partials/rbac-unassign-role.adoc index 9984082965..168372794c 100644 --- a/modules/manage/partials/rbac-unassign-role.adoc +++ b/modules/manage/partials/rbac-unassign-role.adoc @@ -1,23 +1,17 @@ -There are two ways to remove a role from a principal: +You can remove a role assignment from either side: -Option 1: Edit the role +Option 1: From the role's detail page . From *Security* on the left navigation menu, select the *Roles* tab. -. Select the role you want to remove from one or more principals. +. Click the role you want to modify. -. Click *Edit*. +. Under *Principals*, click the trash icon next to each principal you want to remove. Each removal takes effect immediately. -. Below the list of permissions, find the Principals section. Click *x* beside the name of any principals you want to remove from the role. - -. After you have removed all needed principals, click *Update*. - -Option 2: Edit the user +Option 2: From the user's detail page . From *Security* on the left navigation menu, select the *Users* tab. -. Select the user you want to remove from one or more roles. - -. Click *x* beside the name of any roles you want to remove this user from. +. Click the user you want to modify. -. After you have removed the user from all roles, click *Update*. \ No newline at end of file +. Under *Roles*, click the trash icon next to each role you want to revoke. Each removal takes effect immediately. \ No newline at end of file From 39663740f8318fa7eef546e98163a9bd161b35a3 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:59:46 -0600 Subject: [PATCH 5/6] TEMP DOC-2123: point cloud-docs source at sibling PR branch Preview-only playbook change so the docs Netlify preview renders content from cloud-docs PR #568 instead of cloud-docs main. This lets reviewers see the ADP Cloud-only pages in their final form before either PR merges. REVERT (set cloud-docs branches back to `main`) before merge. Co-Authored-By: Claude Opus 4.7 (1M context) --- local-antora-playbook.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/local-antora-playbook.yml b/local-antora-playbook.yml index fe2fe8c63b..1dec7cecd6 100644 --- a/local-antora-playbook.yml +++ b/local-antora-playbook.yml @@ -17,8 +17,10 @@ content: branches: HEAD - url: https://github.com/redpanda-data/docs branches: [v/*, shared, site-search,'!v-end-of-life/*'] + # TEMP DOC-2123: point at sibling PR branch so the docs preview renders + # the cloud-docs PR (#568) content. REVERT to `branches: main` before merge. - url: https://github.com/redpanda-data/cloud-docs - branches: main + branches: DOC-2123-console-acl-ui-refresh - url: https://github.com/redpanda-data/redpanda-labs branches: main start_paths: [docs,'*/docs'] From 728cc7d000c03cf5c5fd1cb3c498baf5b2d74d57 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 18:06:07 -0600 Subject: [PATCH 6/6] =?UTF-8?q?DOC-2123:=20Style=20cleanup=20=E2=80=94=20d?= =?UTF-8?q?rop=20em=20dashes,=20tighten=20phrasing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per Redpanda style guide, em dashes should be replaced with colons, parentheses, or sentence breaks. Also align the "Allow all operations caveat" wording across acl.adoc, rbac-create-role, and the cloud-docs What's New entry so reviewers see one consistent phrasing. - acl.adoc: replace 3 em dashes with colons / split sentences. - rbac-edit-role.adoc: split em-dashed sentence into two. - rbac-create-role.adoc: drop sentence-leading "Or", replace short caveat with the standard "Use this for testing only; it is too broad for production." phrasing. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/manage/pages/security/authorization/acl.adoc | 6 +++--- modules/manage/partials/rbac-create-role.adoc | 2 +- modules/manage/partials/rbac-edit-role.adoc | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/manage/pages/security/authorization/acl.adoc b/modules/manage/pages/security/authorization/acl.adoc index e92e9022d0..68a79182f9 100644 --- a/modules/manage/pages/security/authorization/acl.adoc +++ b/modules/manage/pages/security/authorization/acl.adoc @@ -40,13 +40,13 @@ You can create and manage ACLs in the following ways: [[create-first-acl]] * *{ui}*: From *Security* in the left navigation menu, you can reach ACLs two ways: + -** *Permissions* tab — a unified, cluster-wide view of every principal with at least one ACL, showing direct ACL counts and ACLs inherited from roles. A red badge marks any principal that has Deny rules. Expand a row to see every ACL applied to that principal: direct rules first, then groups labeled *VIA ROLE: * listing the ACLs inherited from each role. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch. -** *Users* or *Roles* tab — open the principal you want to manage, and use the *ACLs* section on its detail page. +** *Permissions* tab: a unified, cluster-wide view of every principal with at least one ACL, showing direct ACL counts and ACLs inherited from roles. A red badge marks any principal that has Deny rules. Expand a row to see every ACL applied to that principal: direct rules first, then groups labeled *VIA ROLE: * listing the ACLs inherited from each role. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch. +** *Users* or *Roles* tab: open the principal you want to manage, and use the *ACLs* section on its detail page. + On a principal's detail page, the *ACLs* section lists one row per rule (type, resource, operation, permission, host) and offers three actions: + ** Click *+ Add ACL* to define one rule (resource type, pattern type, resource name, operation, permission, host). -** Click *Allow all operations* to grant full wildcard access across all resource types in a single step — useful for testing, but too broad for production. +** Click *Allow all operations* to grant full wildcard access across all resource types in a single step. Use this for testing only; it is too broad for production. ** Select one or more rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. * *Command Line*: Use the `rpk` command-line tool for programmatic management. + diff --git a/modules/manage/partials/rbac-create-role.adoc b/modules/manage/partials/rbac-create-role.adoc index 0ffe5d1917..d902780c64 100644 --- a/modules/manage/partials/rbac-create-role.adoc +++ b/modules/manage/partials/rbac-create-role.adoc @@ -9,6 +9,6 @@ The role's detail page opens with empty *ACLs* and *Principals* sections. . Under *ACLs*, define the role's permissions: + ** Click *+ Add ACL* to define a single rule (resource type, pattern type, resource name, operation, permission, host). Repeat for each permission the role needs. -** Or click *Allow all operations* to grant the role full wildcard access across all resource types in a single step. Use this for quick testing only. +** Click *Allow all operations* to grant the role full wildcard access across all resource types in a single step. Use this for testing only; it is too broad for production. . Under *Principals*, use the *Add a principal* search to assign one or more users (or `Group:` entries for OIDC groups) to the role. \ No newline at end of file diff --git a/modules/manage/partials/rbac-edit-role.adoc b/modules/manage/partials/rbac-edit-role.adoc index c84da72e6f..ccd0bf0485 100644 --- a/modules/manage/partials/rbac-edit-role.adoc +++ b/modules/manage/partials/rbac-edit-role.adoc @@ -10,4 +10,4 @@ To edit the ACLs for an existing role: ** Click *Allow all operations* to grant the role full wildcard access across all resource types. ** Select one or more rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. -Changes apply immediately — there is no separate save step. \ No newline at end of file +Changes apply immediately. There is no separate save step. \ No newline at end of file