Lenses Resource Names
Understand Lenses LRNs for use in Lenses IAM modal
Use an LRN to specify a resource across all of Lenses, unambiguously:
To add topic permissions for a team in IAM permissions.
To share a consumer-group reference with a colleague.
LRN format
A canonical LRN has 3 parts called segments. A colon : separates them:
service:resource-type:resource-idWhen you use LRNs as resource patterns in IAM, Lenses also accepts shorter patterns like * and service:*.
service
service is the namespace of the Lenses service that manages a set of resource types.
e.g. kafka for things like topics and consumer groups.
resource-type
resource-type is the type of resources that are served by a service.
e.g. topic for a Kafka topic, consumer-group for a Kafka consumer group. They both belong to the kafka service.
resource-id
resource-id is the unique name or path that identifies a resource. The resource ID is specific to a service and resource type. The resource ID can be:
a single resource name, e.g.:
[email protected]for a user resource name.The full LRN would be
iam:user:[email protected].
a nested resource path that contains slashes
/, e.g.:dev-environment/kafka/my-topicfor a Kafka topic.The full LRN would be
kafka:topic:dev-environment/kafka/my-topic.
Examples
IAM user
Kafka topic
Kafka consumer group
Schema Registry schema
Kafka Connect connector
Allowed characters
LRNs separate top-level segments with a colon : and resource path segments with a slash /.
Character rules depend on the segment:
serviceandresource-typeusea-z,A-Z,0-9, and-.resource-idis resource-specific.It must not contain
:(reserved for top-level segments).It may contain
/to form a resource path.It may contain
*when used as a wildcard pattern (see below).
Using wildcards
Use the wildcard asterisk * to express catch-all LRNs.
Rules
No wildcards are allowed in
service(except the global*pattern).No partial wildcards are allowed in
resource-type.Use
service:*to match all resource types for a service.
Wildcards in
resource-idcan be:a full path segment:
*a suffix inside a segment:
prefix*
If a
resource-idsegment is*, remaining segments are assumed*too.Example:
kafka:topic:my-env/*expands tokafka:topic:my-env/*/*.
Good examples
Use these examples to express multiple resources easily.
*
*
Global wildcard. Captures all resources that Lenses manages.
"Everything"
service:*
kafka:*
Service wildcard. Captures all resources for a service.
"All Kafka resources in all environments"
service:resource-type:*
kafka:topic:*
Resource-type wildcard. Captures all resources for a resource type.
"All Kafka topics in all environments"
service:resource-type:parent/*/grandchild
kafka-connect:connector:dev-environment/*/my-s3-sink
Path segment wildcard. Captures a part of the resource path.
"All connectors named 'my-s3-sink' in all Connect clusters under 'dev-environment'"
service:resource-type:resourcePa*
kafka:topic:dev-environment/kafka/red-*
Prefix match. Captures resources whose resource-id starts with the given path prefix.
"All Kafka topics in 'dev-environment' whose name starts with 'red-'"
service:resource-type:paren*/chil*/grandchil*
kafka-connect:connector:dev*/sinks*/s3*
Segment prefix match. Captures resources where different path segments start with certain prefixes.
"All connectors in envs starting 'dev', clusters starting 'sinks', name starting 's3'"
Bad examples
Avoid these examples because they are ambiguous. Lenses does not allow them.
servic*:resource-type:resource-id
kafk*:topic:dev-environment/kafka/my-topic
No wildcards allowed in service. A service must be its full string.
Global wildcard *
service:resource-typ*:resource-id
kafka:topi*:dev-environment/*
No wildcards allowed in resource-type. A resource type must be its full string.
Service wildcard service:*
service:*:resource-id
kafka:*:dev-environment/kafka/my-topic
If resource-type is *, you must not set resource-id.
kafka:* or kafka:topic:dev-environment/kafka/my-topic
Last updated
Was this helpful?