Skip to content

Conversation

micheleRP
Copy link
Contributor

@micheleRP micheleRP commented Jul 29, 2025

Description

This pull request introduces a beta feature for user impersonation, enabling unified authentication and authorization between Redpanda Cloud and Redpanda clusters. Explained its benefits, configuration steps, and impact on roles and access control.

  • It copyedits the page for better readability.
  • Added a new macro for heading-level beta badges in the asciidoc section of local-antora-playbook.yml.

Resolves https://redpandadata.atlassian.net/browse/DOC-1200
Review deadline:

Page previews

Authentication - User impersonation

Checks

  • New feature
  • Content gap
  • Support Follow-up
  • Small fix (typos, links, copyedits, etc)

Copy link

netlify bot commented Jul 29, 2025

Deploy Preview for rp-cloud ready!

Name Link
🔨 Latest commit 58685dc
🔍 Latest deploy log https://app.netlify.com/projects/rp-cloud/deploys/68d19c668c5c5f000855c286
😎 Deploy Preview https://deploy-preview-370--rp-cloud.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copy link
Contributor

coderabbitai bot commented Jul 29, 2025

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The changes update the modules/security/pages/cloud-authentication.adoc documentation to clarify and expand on Redpanda Cloud authentication for both users and services. The document now explicitly distinguishes between user and service authentication, details supported methods, and standardizes terminology. A new section introduces a beta feature for user impersonation, describing unified authentication and authorization. Instructions for configuring authentication methods are reorganized, and examples are updated for consistency. Additionally, the local-antora-playbook.yml file is updated to include a new Asciidoc extension macro named badge.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Assessment against linked issues

Objective Addressed Explanation
Document feature: Console: Unified cluster AuthN/AuthZ (Cloud rollout, including Serverless) (DOC-1200)

Assessment against linked issues: Out-of-scope changes

Code Change Explanation
Addition of badge macro to asciidoc.extensions (local-antora-playbook.yml) This addition is a documentation tooling/configuration update and not directly related to the unified AuthN/AuthZ documentation objective.

Possibly related PRs

  • mTLS+SASL support on AWS #362: Updates the same documentation to clarify and expand on authentication methods, including simultaneous mTLS and SASL/basic auth support, with a focus on AWS clusters.
  • Enable mTLS and SASL (GCP) #279: Modifies the same documentation file, expanding and clarifying authentication methods, and serves as a foundation for the further clarifications and user impersonation section in this PR.

Suggested reviewers

  • paulzhang97
  • david-yu
  • kbatuigas
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch DOC-1200-Document-feature-Console-Unified-cluster-AuthN-AuthZ-Cloud-rollout-including-Serverless

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.


Comment @coderabbitai help to get the list of available commands and usage tips.

@micheleRP micheleRP requested review from andresaristizabal, sago2k8 and deniscoady and removed request for andresaristizabal July 29, 2025 21:50
@micheleRP micheleRP marked this pull request as ready for review August 1, 2025 16:22
@micheleRP micheleRP requested a review from a team as a code owner August 1, 2025 16:22
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
modules/security/pages/cloud-authentication.adoc (1)

22-25: Minor wording nitpick

Set up is different for most IdPs.” → “Setup differs across IdPs.” is shorter and avoids splitting the phrasal verb.

Purely editorial—adjust if you agree.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b7dbbd and 8f0d675.

📒 Files selected for processing (2)
  • local-antora-playbook.yml (1 hunks)
  • modules/security/pages/cloud-authentication.adoc (11 hunks)
🧰 Additional context used
🧠 Learnings (5)
📓 Common learnings
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#334
File: modules/networking/partials/psc-api2.adoc:15-16
Timestamp: 2025-06-18T21:02:38.074Z
Learning: In the Redpanda Cloud documentation system, cross-reference anchors using the format `#patch-/v1/clusters/-cluster.id-` work correctly for referencing API endpoints, even with dashes instead of curly braces around parameter names.
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#350
File: modules/get-started/pages/cloud-overview.adoc:55-56
Timestamp: 2025-07-16T21:11:59.964Z
Learning: In the Redpanda Cloud documentation system using Asciidoctor, glossary cross-references with spaces in the ID (like `glossterm:data plane[]`) work correctly and do not need to be changed to hyphenated forms. The existing syntax is functional and should not be modified.
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#261
File: modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc:46-50
Timestamp: 2025-04-18T19:43:32.991Z
Learning: In the Redpanda documentation using AsciiDoc format, explanatory text that provides additional information about a step should not be formatted as a separate numbered step. Instead, it should appear as regular text with bullets (using ** syntax) for any sub-points.
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:91-92
Timestamp: 2025-04-25T01:41:57.162Z
Learning: The notification timeline for Redpanda Cloud deprecations has been deliberately removed from the documentation, even though the PR summary mentioned a 180-day advance notice period.
📚 Learning: in asciidoc documentation used by redpanda, empty cross-references (xrefs) without link text (like `...
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#278
File: modules/manage/pages/cluster-maintenance/config-cluster.adoc:75-75
Timestamp: 2025-04-29T18:43:42.666Z
Learning: In AsciiDoc documentation used by Redpanda, empty cross-references (xrefs) without link text (like `xref:manage:rpk/intro-to-rpk.adoc[]`) automatically use the target page's title as the link text.

Applied to files:

  • local-antora-playbook.yml
📚 Learning: the notification timeline for redpanda cloud deprecations has been deliberately removed from the doc...
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:91-92
Timestamp: 2025-04-25T01:41:57.162Z
Learning: The notification timeline for Redpanda Cloud deprecations has been deliberately removed from the documentation, even though the PR summary mentioned a 180-day advance notice period.

Applied to files:

  • modules/security/pages/cloud-authentication.adoc
📚 Learning: in the redpanda cloud documentation system, cross-reference anchors using the format `#patch-/v1/clu...
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#334
File: modules/networking/partials/psc-api2.adoc:15-16
Timestamp: 2025-06-18T21:02:38.074Z
Learning: In the Redpanda Cloud documentation system, cross-reference anchors using the format `#patch-/v1/clusters/-cluster.id-` work correctly for referencing API endpoints, even with dashes instead of curly braces around parameter names.

Applied to files:

  • modules/security/pages/cloud-authentication.adoc
📚 Learning: the timeline for major upgrade notifications (180 days in advance) was intentionally removed from th...
Learnt from: micheleRP
PR: redpanda-data/cloud-docs#267
File: modules/manage/pages/maintenance.adoc:63-64
Timestamp: 2025-04-25T01:42:09.318Z
Learning: The timeline for major upgrade notifications (180 days in advance) was intentionally removed from the Redpanda Cloud maintenance documentation, even though it was mentioned in the PR objectives.

Applied to files:

  • modules/security/pages/cloud-authentication.adoc
🔇 Additional comments (1)
local-antora-playbook.yml (1)

37-37: Addition of badge macro looks correct.

The macro path and indentation are consistent with the existing list, so Antora should pick it up without issues. No further action required.

Copy link
Contributor

@Feediver1 Feediver1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Copy link

@yougotashovel yougotashovel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is going to Public Beta, then i'm happy to approve this, as people will need to have docs around this if it's discoverable.

cc: @sago2k8 can you check and give thumbs up?

Comment on lines +77 to +96
To enable user impersonation, go to the *Cluster settings* page and select the option to enable it.

After enabling user impersonation, new Readers and Writers added to the cluster must have their roles or ACLs granted by Admins in the cluster *Security* page.

CAUTION: Enabling user impersonation does not affect Admin users, but Readers and Writers will lose access until they are granted roles or ACLs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not yet implemented, it will be a closed beta, until we solve some issues:

  1. We haven't enabled any button to enabled the feature. this will require agreement within the cloud team. so not ready to be delivered yet, the reason is that customers could be locked out of their environments.
  2. Here is a writeup of the status of the feature. https://docs.google.com/document/d/14-7YZBtvvdL3U4LZSLnj6okv0kM0UueINZN1er1BX80/edit?tab=t.0#heading=h.u57fkmq321of

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving PR to draft until we're farther along. Thank you @sago2k8!

@micheleRP micheleRP marked this pull request as draft August 14, 2025 16:22
@micheleRP micheleRP force-pushed the DOC-1200-Document-feature-Console-Unified-cluster-AuthN-AuthZ-Cloud-rollout-including-Serverless branch from b205f62 to 58685dc Compare September 22, 2025 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants