diff --git a/local-antora-playbook.yml b/local-antora-playbook.yml index d8d478c82..5c0be61db 100644 --- a/local-antora-playbook.yml +++ b/local-antora-playbook.yml @@ -14,8 +14,10 @@ content: sources: - url: . branches: HEAD + # TEMP DOC-2123: point at sibling PR branch so this preview renders + # the docs PR (#1689) single-source content. REVERT `main` before merge. - url: https://github.com/redpanda-data/documentation - branches: [main, v/*, shared, site-search] + branches: [DOC-2123-console-acl-ui-refresh, v/*, shared, site-search] - url: https://github.com/redpanda-data/docs-site branches: [main] start_paths: [home] diff --git a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc index ea51925fb..821430f0f 100644 --- a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc +++ b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc @@ -48,9 +48,9 @@ rpk cloud login export REDPANDA_BROKERS="" ``` -. Go to the **Security** page, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism. +. Go to **Security** > **Users**, click **Create user**, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism. -. Copy the password, and set the following environment variables on your local machine: +. In the *User created successfully* dialog, copy the password and set the following environment variables on your local machine: + ```bash export REDPANDA_SASL_USERNAME="redpanda-chat-account" @@ -58,13 +58,18 @@ export REDPANDA_SASL_PASSWORD="" export REDPANDA_SASL_MECHANISM="SCRAM-SHA-256" ``` -. Click the name of your user, and add the following permissions to the ACL (access control list): +. Click **Go to user details**. + +. Under *ACLs*, click *+ Add ACL*, and define the following rule to grant the user full access to the `chat-room` topic: + -- **Host**: * -- **Topic name**: `chat-room` -- **Operations**: All -+ -. Click **Create**. +- **Resource Type**: Topic +- **Pattern Type**: Literal +- **Resource Name**: `chat-room` +- **Operation**: All +- **Permission**: Allow +- **Host**: `*` ++ +. Click **Add ACL**. . Use `rpk` on your local machine to authenticate to Redpanda as the **redpanda-chat-account** user and get information about the cluster: + diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 2ecf27d27..fe853d43a 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -70,7 +70,7 @@ NOTE: After private access is disabled, attempts to reach the private endpoints . Click **Create cluster**. -. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members and grant them access with ACLs on the *Security* page. +. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members on the *Security* > *Users* page, then click into a user to assign roles or add ACLs from their detail page. == Interact with your cluster diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index b88417ee0..95c72d1b9 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -6,6 +6,23 @@ This page lists new features added to Redpanda Cloud. +== May 2026 + +=== Redpanda Console: redesigned Security page + +Redpanda Console has a redesigned Security page with three tabs (*Users*, *Roles*, and *Permissions*). Each user and role has a detail page for managing its permissions. + +* The *Users* tab lists each user with their assigned roles and a count of their ACLs. Filter the list by name using regular expressions; for example, `^prod-` matches every user starting with `prod-`. +* Open a user or role to manage permissions on its detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host) and supports three actions: +** *+ Add ACL* opens a focused form for one rule (resource type, pattern type, resource name, operation, permission, host). +** *Allow all operations* grants full wildcard access across all resource types in a single step. Use this for testing only; it is too broad for production. +** Select rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. +* The *Permissions* tab is a unified, cluster-wide view of every principal with ACLs. Each row shows direct ACL counts and ACLs inherited from roles, with a red badge highlighting any principal that has Deny rules. Expand a row to see all of that principal's ACLs in one table: direct rules first, then sections labeled *VIA ROLE: * for each role they inherit from. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch. + +// TODO DOC-2123: confirm with Jan/Martin whether to call out the per-ACL edit improvement (no permission gap during edits) as a customer-facing benefit. + +See xref:security:authorization/acl.adoc[] for the full ACL reference and xref:security:authorization/rbac/rbac_dp.adoc[] for role management. + == April 2026 === Iceberg: Configurable table namespace diff --git a/modules/security/pages/cloud-authentication.adoc b/modules/security/pages/cloud-authentication.adoc index 7282fe353..d2bfd41bd 100644 --- a/modules/security/pages/cloud-authentication.adoc +++ b/modules/security/pages/cloud-authentication.adoc @@ -125,14 +125,14 @@ BYOC and Dedicated clusters support unified authentication and authorization bet To enable account impersonation: . Go to the *Dataplane settings* page and select the option to enable account impersonation. -. Configure permissions for your users on the cluster *Security* page using ACLs or RBAC roles. +. Configure permissions for your users on the cluster *Security* page: open a user under *Users* (or a role under *Roles*) and add ACLs or assign roles from the detail page. [IMPORTANT] ==== After enabling account impersonation: * *Admin users* continue to have full access as before -* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page +* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or roles on the *Security* page Plan to configure user permissions before or immediately after enabling this feature to avoid access disruption. ====