From 6bfa49a73194946e854839a71ff50d4c3f582abd Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:08:00 -0600 Subject: [PATCH 1/6] DOC-2123: Update Console ACL UI references for new atomic-ACL design Refresh Cloud-only Console references ahead of Console's new Security page. ACL/RBAC behavior single-sourced from the docs repo flows in automatically via tag::single-source[]; this commit covers the pages that are not single-sourced. - create-dedicated-cloud-cluster.adoc: rewrite the user/ACL walkthrough to match the new atomic ACL form (Principal, Resource type, Pattern type, Resource name, Operation, Permission, Host) instead of the old "click the user, add permissions" flow. - serverless.adoc: split the single "Security page" reference into Security > Users / Security > ACLs / Security > Roles. - cloud-authentication.adoc: same split for the impersonation permissions guidance (lines 128, 135). Inline // TODO DOC-2123 comments mark form labels that need final confirmation from Jan/Martin once the new Security page ships. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../create-dedicated-cloud-cluster.adoc | 17 +++++++++++------ .../pages/cluster-types/serverless.adoc | 2 +- .../security/pages/cloud-authentication.adoc | 4 ++-- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc index ea51925fb..45c5934c2 100644 --- a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc +++ b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc @@ -48,7 +48,7 @@ rpk cloud login export REDPANDA_BROKERS="" ``` -. Go to the **Security** page, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism. +. Go to **Security** > **Users**, click **Create user**, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism. . Copy the password, and set the following environment variables on your local machine: + @@ -58,12 +58,17 @@ export REDPANDA_SASL_PASSWORD="" export REDPANDA_SASL_MECHANISM="SCRAM-SHA-256" ``` -. Click the name of your user, and add the following permissions to the ACL (access control list): +// TODO DOC-2123: confirm final ACL form labels (Resource Type, Pattern Type, Resource Name, Operation, Permission, Host) once the new Security page ships. +. Go to **Security** > **ACLs**, click **Create ACL**, and grant the **redpanda-chat-account** user full access to the `chat-room` topic: ++ +- **Principal**: `User:redpanda-chat-account` +- **Resource type**: Topic +- **Pattern type**: Literal +- **Resource name**: `chat-room` +- **Operation**: All +- **Permission**: Allow +- **Host**: `*` + -- **Host**: * -- **Topic name**: `chat-room` -- **Operations**: All -+ . Click **Create**. . Use `rpk` on your local machine to authenticate to Redpanda as the **redpanda-chat-account** user and get information about the cluster: diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index 2ecf27d27..cb1007f4a 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -70,7 +70,7 @@ NOTE: After private access is disabled, attempts to reach the private endpoints . Click **Create cluster**. -. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members and grant them access with ACLs on the *Security* page. +. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members on the *Security* > *Users* page, then grant them access on the *Security* > *ACLs* page or assign them to a role on the *Security* > *Roles* page. == Interact with your cluster diff --git a/modules/security/pages/cloud-authentication.adoc b/modules/security/pages/cloud-authentication.adoc index 7282fe353..3f3099faf 100644 --- a/modules/security/pages/cloud-authentication.adoc +++ b/modules/security/pages/cloud-authentication.adoc @@ -125,14 +125,14 @@ BYOC and Dedicated clusters support unified authentication and authorization bet To enable account impersonation: . Go to the *Dataplane settings* page and select the option to enable account impersonation. -. Configure permissions for your users on the cluster *Security* page using ACLs or RBAC roles. +. Configure permissions for your users on the cluster *Security* > *ACLs* or *Security* > *Roles* page. [IMPORTANT] ==== After enabling account impersonation: * *Admin users* continue to have full access as before -* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page +* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* > *ACLs* or *Security* > *Roles* page Plan to configure user permissions before or immediately after enabling this feature to avoid access disruption. ==== From da44f2f6c6da3ea99796ef46b0b14a90878a2131 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:18:09 -0600 Subject: [PATCH 2/6] DOC-2123: Add May 2026 What's New entry for redesigned Security page Announce Console's redesigned Security page (atomic ACL list, role detail pages with inherited ACLs, user detail pages, regex filter) in the cloud-docs What's New. The blurb sits behind the same merge gate as the rest of the PR so it only goes live with Console GA. Inline TODO for Jan/Martin to confirm whether the customer-facing "editing an ACL no longer causes a permission gap" benefit can be stated publicly. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/get-started/pages/whats-new-cloud.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index b88417ee0..8f41266f3 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -6,6 +6,20 @@ This page lists new features added to Redpanda Cloud. +== May 2026 + +=== Redpanda Console: redesigned Security page + +Redpanda Console has a redesigned Security page that simplifies ACL and role management: + +* The *ACLs* page lists every ACL as a single row with all of its fields visible: principal, resource type, pattern type, resource name, operation, permission, and host. The filter at the top of the list accepts a regular expression for fast lookup. +* Role detail pages list each role's ACLs inline, including ACLs inherited from group memberships, so you can see the full set of permissions for a role at a glance. +* User detail pages let you manage a user's role assignments and view permissions inherited from those roles. + +// TODO DOC-2123: confirm with Jan/Martin whether to call out the per-ACL edit improvement (no permission gap during edits) as a customer-facing benefit. + +See xref:security:authorization/acl.adoc[] for the full ACL reference and xref:security:authorization/rbac/rbac_dp.adoc[] for role management. + == April 2026 === Iceberg: Configurable table namespace From 710bc188ce7cebe7c666d6587eff2f887b0f9002 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:37:17 -0600 Subject: [PATCH 3/6] =?UTF-8?q?DOC-2123:=20Fix=20Security=20page=20model?= =?UTF-8?q?=20=E2=80=94=20ACLs=20are=20per-principal,=20not=20standalone?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous commits referenced a standalone Security > ACLs page that does not exist in the shipped Console build (per Jan's recorded demo). The new layout has three tabs only — Users, Roles, Permissions — and ACLs are managed from a principal's detail page. - create-dedicated-cloud-cluster.adoc: rewrite the user/ACL walkthrough to follow the real flow: create the user, click "Go to user details" from the success dialog, then "+ Add ACL" under the user's ACLs section. Field labels match the Add ACL modal (Resource Type, Pattern Type, Resource Name, Operation, Permission, Host). - serverless.adoc, cloud-authentication.adoc: drop the "Security > ACLs" path; route users through Users/Roles detail pages instead. - whats-new-cloud.adoc: rewrite the May 2026 entry to describe the three-tab layout (Users / Roles / Permissions), per-principal ACL management on the detail page, and the three available actions (+ Add ACL, Allow all operations, Delete selected for bulk delete). Co-Authored-By: Claude Opus 4.7 (1M context) --- .../create-dedicated-cloud-cluster.adoc | 16 ++++++++-------- .../pages/cluster-types/serverless.adoc | 2 +- modules/get-started/pages/whats-new-cloud.adoc | 13 ++++++++----- modules/security/pages/cloud-authentication.adoc | 4 ++-- 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc index 45c5934c2..821430f0f 100644 --- a/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc +++ b/modules/get-started/pages/cluster-types/create-dedicated-cloud-cluster.adoc @@ -50,7 +50,7 @@ export REDPANDA_BROKERS="" . Go to **Security** > **Users**, click **Create user**, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism. -. Copy the password, and set the following environment variables on your local machine: +. In the *User created successfully* dialog, copy the password and set the following environment variables on your local machine: + ```bash export REDPANDA_SASL_USERNAME="redpanda-chat-account" @@ -58,18 +58,18 @@ export REDPANDA_SASL_PASSWORD="" export REDPANDA_SASL_MECHANISM="SCRAM-SHA-256" ``` -// TODO DOC-2123: confirm final ACL form labels (Resource Type, Pattern Type, Resource Name, Operation, Permission, Host) once the new Security page ships. -. Go to **Security** > **ACLs**, click **Create ACL**, and grant the **redpanda-chat-account** user full access to the `chat-room` topic: +. Click **Go to user details**. + +. Under *ACLs*, click *+ Add ACL*, and define the following rule to grant the user full access to the `chat-room` topic: + -- **Principal**: `User:redpanda-chat-account` -- **Resource type**: Topic -- **Pattern type**: Literal -- **Resource name**: `chat-room` +- **Resource Type**: Topic +- **Pattern Type**: Literal +- **Resource Name**: `chat-room` - **Operation**: All - **Permission**: Allow - **Host**: `*` + -. Click **Create**. +. Click **Add ACL**. . Use `rpk` on your local machine to authenticate to Redpanda as the **redpanda-chat-account** user and get information about the cluster: + diff --git a/modules/get-started/pages/cluster-types/serverless.adoc b/modules/get-started/pages/cluster-types/serverless.adoc index cb1007f4a..fe853d43a 100644 --- a/modules/get-started/pages/cluster-types/serverless.adoc +++ b/modules/get-started/pages/cluster-types/serverless.adoc @@ -70,7 +70,7 @@ NOTE: After private access is disabled, attempts to reach the private endpoints . Click **Create cluster**. -. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members on the *Security* > *Users* page, then grant them access on the *Security* > *ACLs* page or assign them to a role on the *Security* > *Roles* page. +. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members on the *Security* > *Users* page, then click into a user to assign roles or add ACLs from their detail page. == Interact with your cluster diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 8f41266f3..c5a1828ce 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,11 +10,14 @@ This page lists new features added to Redpanda Cloud. === Redpanda Console: redesigned Security page -Redpanda Console has a redesigned Security page that simplifies ACL and role management: - -* The *ACLs* page lists every ACL as a single row with all of its fields visible: principal, resource type, pattern type, resource name, operation, permission, and host. The filter at the top of the list accepts a regular expression for fast lookup. -* Role detail pages list each role's ACLs inline, including ACLs inherited from group memberships, so you can see the full set of permissions for a role at a glance. -* User detail pages let you manage a user's role assignments and view permissions inherited from those roles. +Redpanda Console has a redesigned Security page that simplifies ACL and role management. The page now has three tabs — *Users*, *Roles*, and *Permissions* — and ACLs are managed per principal: + +* The *Users* tab lists each user with their assigned roles and a count of their ACLs, so you can see at a glance which principals have what. Filter the list by name using regular expressions, for example `^prod-` to match every user starting with `prod-`. +* Open a user (or a role) to manage their permissions on a dedicated detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host), and offers three actions: +** *+ Add ACL* opens a focused form for one rule (resource type, pattern type, resource name, operation, permission, host). +** *Allow all operations* grants full wildcard access across all resource types in a single step, which is convenient for testing. +** Select rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. +* The *Roles* section on a user's detail page lets you assign or revoke roles individually, and the user's effective ACLs include any rules inherited from those roles. // TODO DOC-2123: confirm with Jan/Martin whether to call out the per-ACL edit improvement (no permission gap during edits) as a customer-facing benefit. diff --git a/modules/security/pages/cloud-authentication.adoc b/modules/security/pages/cloud-authentication.adoc index 3f3099faf..d2bfd41bd 100644 --- a/modules/security/pages/cloud-authentication.adoc +++ b/modules/security/pages/cloud-authentication.adoc @@ -125,14 +125,14 @@ BYOC and Dedicated clusters support unified authentication and authorization bet To enable account impersonation: . Go to the *Dataplane settings* page and select the option to enable account impersonation. -. Configure permissions for your users on the cluster *Security* > *ACLs* or *Security* > *Roles* page. +. Configure permissions for your users on the cluster *Security* page: open a user under *Users* (or a role under *Roles*) and add ACLs or assign roles from the detail page. [IMPORTANT] ==== After enabling account impersonation: * *Admin users* continue to have full access as before -* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* > *ACLs* or *Security* > *Roles* page +* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or roles on the *Security* page Plan to configure user permissions before or immediately after enabling this feature to avoid access disruption. ==== From e7e040ad7b54e8478b64dfb5394a0ff5a973d4f0 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:40:39 -0600 Subject: [PATCH 4/6] DOC-2123: Add Permissions tab to What's New entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The third Security page tab is Permissions — a unified cluster-wide view of every principal's ACLs (direct + inherited), with role inheritance visualized as "VIA ROLE: " groupings when you expand a row. Add this and the deny-spot indicator to the What's New blurb. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/get-started/pages/whats-new-cloud.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index c5a1828ce..897a25ab1 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,14 +10,14 @@ This page lists new features added to Redpanda Cloud. === Redpanda Console: redesigned Security page -Redpanda Console has a redesigned Security page that simplifies ACL and role management. The page now has three tabs — *Users*, *Roles*, and *Permissions* — and ACLs are managed per principal: +Redpanda Console has a redesigned Security page with three tabs — *Users*, *Roles*, and *Permissions* — and ACLs are managed per principal on dedicated detail pages. -* The *Users* tab lists each user with their assigned roles and a count of their ACLs, so you can see at a glance which principals have what. Filter the list by name using regular expressions, for example `^prod-` to match every user starting with `prod-`. -* Open a user (or a role) to manage their permissions on a dedicated detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host), and offers three actions: +* The *Users* tab lists each user with their assigned roles and a count of their ACLs. Filter the list by name using regular expressions, for example `^prod-` to match every user starting with `prod-`. +* Open a user (or a role) to manage their permissions on a dedicated detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host) and supports three actions: ** *+ Add ACL* opens a focused form for one rule (resource type, pattern type, resource name, operation, permission, host). -** *Allow all operations* grants full wildcard access across all resource types in a single step, which is convenient for testing. +** *Allow all operations* grants full wildcard access across all resource types in a single step — convenient for testing. ** Select rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. -* The *Roles* section on a user's detail page lets you assign or revoke roles individually, and the user's effective ACLs include any rules inherited from those roles. +* The *Permissions* tab is a unified, cluster-wide view of every principal with ACLs. Each row shows direct ACL counts and ACLs inherited from roles, with a red badge highlighting any principal that has Deny rules. Expand a row to see all of that principal's ACLs in one table: direct rules first, then sections labeled *VIA ROLE: * for each role they inherit from. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch. // TODO DOC-2123: confirm with Jan/Martin whether to call out the per-ACL edit improvement (no permission gap during edits) as a customer-facing benefit. From 39e8a0fc0ee9fc2672806d3efa93c2e978bac234 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 17:59:49 -0600 Subject: [PATCH 5/6] TEMP DOC-2123: point docs source at sibling PR branch Preview-only playbook change so the cloud-docs Netlify preview pulls single-sourced acl.adoc / rbac-dp.adoc / gbac-dp.adoc content from docs PR #1689 instead of docs main. This lets reviewers see the single-sourced rewrites in cloud-docs context before either PR merges. REVERT (set documentation main branch back to first position) before merge. Co-Authored-By: Claude Opus 4.7 (1M context) --- local-antora-playbook.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/local-antora-playbook.yml b/local-antora-playbook.yml index d8d478c82..5c0be61db 100644 --- a/local-antora-playbook.yml +++ b/local-antora-playbook.yml @@ -14,8 +14,10 @@ content: sources: - url: . branches: HEAD + # TEMP DOC-2123: point at sibling PR branch so this preview renders + # the docs PR (#1689) single-source content. REVERT `main` before merge. - url: https://github.com/redpanda-data/documentation - branches: [main, v/*, shared, site-search] + branches: [DOC-2123-console-acl-ui-refresh, v/*, shared, site-search] - url: https://github.com/redpanda-data/docs-site branches: [main] start_paths: [home] From 10f1a6857448400b1a4981bf3cad23ee19e15c88 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 30 Apr 2026 18:06:10 -0600 Subject: [PATCH 6/6] DOC-2123: Style cleanup on May 2026 What's New entry - Replace 2 em dashes with parentheses and split sentences. - Tighten passive "ACLs are managed per principal" lead-in. - Align "Allow all operations" caveat phrasing with acl.adoc. - Reword regex example "for example" comma comma into a cleaner semicolon construction. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/get-started/pages/whats-new-cloud.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 897a25ab1..95c72d1b9 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,12 +10,12 @@ This page lists new features added to Redpanda Cloud. === Redpanda Console: redesigned Security page -Redpanda Console has a redesigned Security page with three tabs — *Users*, *Roles*, and *Permissions* — and ACLs are managed per principal on dedicated detail pages. +Redpanda Console has a redesigned Security page with three tabs (*Users*, *Roles*, and *Permissions*). Each user and role has a detail page for managing its permissions. -* The *Users* tab lists each user with their assigned roles and a count of their ACLs. Filter the list by name using regular expressions, for example `^prod-` to match every user starting with `prod-`. -* Open a user (or a role) to manage their permissions on a dedicated detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host) and supports three actions: +* The *Users* tab lists each user with their assigned roles and a count of their ACLs. Filter the list by name using regular expressions; for example, `^prod-` matches every user starting with `prod-`. +* Open a user or role to manage permissions on its detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host) and supports three actions: ** *+ Add ACL* opens a focused form for one rule (resource type, pattern type, resource name, operation, permission, host). -** *Allow all operations* grants full wildcard access across all resource types in a single step — convenient for testing. +** *Allow all operations* grants full wildcard access across all resource types in a single step. Use this for testing only; it is too broad for production. ** Select rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. * The *Permissions* tab is a unified, cluster-wide view of every principal with ACLs. Each row shows direct ACL counts and ACLs inherited from roles, with a red badge highlighting any principal that has Deny rules. Expand a row to see all of that principal's ACLs in one table: direct rules first, then sections labeled *VIA ROLE: * for each role they inherit from. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch.