From c573d1839740e2b7c7c7104c02d56353130bc897 Mon Sep 17 00:00:00 2001 From: Steven Gagniere Date: Thu, 6 Nov 2025 17:25:33 -0800 Subject: [PATCH 1/3] Add flink-region flag and ComputePool resource example for FlinkDeveloper role binding --- internal/iam/command_rbac_role_binding.go | 9 +++++++++ internal/iam/command_rbac_role_binding_create.go | 4 ++++ internal/iam/command_rbac_role_binding_list.go | 1 + 3 files changed, 14 insertions(+) diff --git a/internal/iam/command_rbac_role_binding.go b/internal/iam/command_rbac_role_binding.go index a0942ecae9..3d9f5fb933 100644 --- a/internal/iam/command_rbac_role_binding.go +++ b/internal/iam/command_rbac_role_binding.go @@ -185,6 +185,7 @@ func addClusterFlags(cmd *cobra.Command, cfg *config.Config, cliCommand *pcmd.CL cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID for the role binding.") cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID for the role binding.") cmd.Flags().String("ksql-cluster", "", "ksqlDB cluster name for the role binding.") + cmd.Flags().String("flink-region", "", `Flink region for the role binding, formatted as "cloud.region".`) } else { cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID for the role binding.") cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID for the role binding.") @@ -617,6 +618,14 @@ func (c *roleBindingCommand) parseV2BaseCrnPattern(cmd *cobra.Command) (string, crnPattern += "/kafka=" + kafkaCluster } + if cmd.Flags().Changed("flink-region") { + flinkRegion, err := cmd.Flags().GetString("flink-region") + if err != nil { + return "", err + } + crnPattern += "/flink-region=" + flinkRegion + } + if cmd.Flags().Changed("role") { role, err := cmd.Flags().GetString("role") if err != nil { diff --git a/internal/iam/command_rbac_role_binding_create.go b/internal/iam/command_rbac_role_binding_create.go index 8c46912630..17f3e23842 100644 --- a/internal/iam/command_rbac_role_binding_create.go +++ b/internal/iam/command_rbac_role_binding_create.go @@ -55,6 +55,10 @@ func (c *roleBindingCommand) newCreateCommand() *cobra.Command { Text: `Grant the "FlinkDeveloper" role to principal "User:u-123456" in environment "env-123456":`, Code: "confluent iam rbac role-binding create --principal User:u-123456 --role FlinkDeveloper --environment env-123456", }, + examples.Example{ + Text: `Grant the "FlinkDeveloper" scoped to Flink compute pool "lfcp-123456" in AWS us-east-1 to principal "User:u-123456":`, + Code: "confluent iam rbac role-binding create --principal User:u-123456 --role FlinkDeveloper --environment env-123456 --flink-region aws.us-east-1 --resource ComputePool:lfcp-123456", + }, ) } else { exs = append(exs, diff --git a/internal/iam/command_rbac_role_binding_list.go b/internal/iam/command_rbac_role_binding_list.go index e0e2caad60..942d7b4866 100644 --- a/internal/iam/command_rbac_role_binding_list.go +++ b/internal/iam/command_rbac_role_binding_list.go @@ -99,6 +99,7 @@ func (c *roleBindingCommand) newListCommand() *cobra.Command { cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID, which specifies the Kafka cluster scope.") cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID, which specifies the Schema Registry cluster scope.") cmd.Flags().String("ksql-cluster", "", "ksqlDB cluster name, which specifies the ksqlDB cluster scope.") + cmd.Flags().String("flink-region", "", `Flink region for the role binding, formatted as "cloud.region".`) } else { cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID, which specifies the Kafka cluster scope.") cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID, which specifies the Schema Registry cluster scope.") From d1c8a762bb92086080387dd74fed8c0ed06d694c Mon Sep 17 00:00:00 2001 From: Steven Gagniere Date: Mon, 1 Dec 2025 16:33:06 -0800 Subject: [PATCH 2/3] Fix help tests --- .../fixtures/output/iam/rbac/role-binding/create-help.golden | 5 +++++ .../fixtures/output/iam/rbac/role-binding/delete-help.golden | 1 + .../iam/rbac/role-binding/delete-missing-role-cloud.golden | 1 + .../iam/rbac/role-binding/list-failure-help-cloud.golden | 1 + test/fixtures/output/iam/rbac/role-binding/list-help.golden | 1 + 5 files changed, 9 insertions(+) diff --git a/test/fixtures/output/iam/rbac/role-binding/create-help.golden b/test/fixtures/output/iam/rbac/role-binding/create-help.golden index ce9d964d06..bb20c8aac7 100644 --- a/test/fixtures/output/iam/rbac/role-binding/create-help.golden +++ b/test/fixtures/output/iam/rbac/role-binding/create-help.golden @@ -36,6 +36,10 @@ Grant the "FlinkDeveloper" role to principal "User:u-123456" in environment "env $ confluent iam rbac role-binding create --principal User:u-123456 --role FlinkDeveloper --environment env-123456 +Grant the "FlinkDeveloper" scoped to Flink compute pool "lfcp-123456" in AWS us-east-1 to principal "User:u-123456": + + $ confluent iam rbac role-binding create --principal User:u-123456 --role FlinkDeveloper --environment env-123456 --flink-region aws.us-east-1 --resource ComputePool:lfcp-123456 + Flags: --role string REQUIRED: Role name of the new role binding. --principal string REQUIRED: Principal type and identifier using "Prefix:ID" format. @@ -45,6 +49,7 @@ Flags: --kafka-cluster string Kafka cluster ID for the role binding. --schema-registry-cluster string Schema Registry cluster ID for the role binding. --ksql-cluster string ksqlDB cluster name for the role binding. + --flink-region string Flink region for the role binding, formatted as "cloud.region". --resource string Resource type and identifier using "Prefix:ID" format. --prefix Whether the provided resource name is treated as a prefix pattern. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/rbac/role-binding/delete-help.golden b/test/fixtures/output/iam/rbac/role-binding/delete-help.golden index 0b598181de..cb2e87bdb0 100644 --- a/test/fixtures/output/iam/rbac/role-binding/delete-help.golden +++ b/test/fixtures/output/iam/rbac/role-binding/delete-help.golden @@ -18,6 +18,7 @@ Flags: --kafka-cluster string Kafka cluster ID for the role binding. --schema-registry-cluster string Schema Registry cluster ID for the role binding. --ksql-cluster string ksqlDB cluster name for the role binding. + --flink-region string Flink region for the role binding, formatted as "cloud.region". --resource string Resource type and identifier using "Prefix:ID" format. --prefix Whether the provided resource name is treated as a prefix pattern. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/rbac/role-binding/delete-missing-role-cloud.golden b/test/fixtures/output/iam/rbac/role-binding/delete-missing-role-cloud.golden index 015deeacd4..ca55f3598c 100644 --- a/test/fixtures/output/iam/rbac/role-binding/delete-missing-role-cloud.golden +++ b/test/fixtures/output/iam/rbac/role-binding/delete-missing-role-cloud.golden @@ -17,6 +17,7 @@ Flags: --kafka-cluster string Kafka cluster ID for the role binding. --schema-registry-cluster string Schema Registry cluster ID for the role binding. --ksql-cluster string ksqlDB cluster name for the role binding. + --flink-region string Flink region for the role binding, formatted as "cloud.region". --resource string Resource type and identifier using "Prefix:ID" format. --prefix Whether the provided resource name is treated as a prefix pattern. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/rbac/role-binding/list-failure-help-cloud.golden b/test/fixtures/output/iam/rbac/role-binding/list-failure-help-cloud.golden index 6676b520f5..b3f8a39e1a 100644 --- a/test/fixtures/output/iam/rbac/role-binding/list-failure-help-cloud.golden +++ b/test/fixtures/output/iam/rbac/role-binding/list-failure-help-cloud.golden @@ -37,6 +37,7 @@ Flags: --kafka-cluster string Kafka cluster ID, which specifies the Kafka cluster scope. --schema-registry-cluster string Schema Registry cluster ID, which specifies the Schema Registry cluster scope. --ksql-cluster string ksqlDB cluster name, which specifies the ksqlDB cluster scope. + --flink-region string Flink region for the role binding, formatted as "cloud.region". --resource string Resource type and identifier using "Prefix:ID" format. If specified with "--role" and no principals, list all principals and role bindings. --inclusive List role bindings for specified scopes and nested scopes. Otherwise, list role bindings for the specified scopes. If scopes are unspecified, list only organization-scoped role bindings. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/rbac/role-binding/list-help.golden b/test/fixtures/output/iam/rbac/role-binding/list-help.golden index cc9fd1ca03..28a1de56b8 100644 --- a/test/fixtures/output/iam/rbac/role-binding/list-help.golden +++ b/test/fixtures/output/iam/rbac/role-binding/list-help.golden @@ -38,6 +38,7 @@ Flags: --kafka-cluster string Kafka cluster ID, which specifies the Kafka cluster scope. --schema-registry-cluster string Schema Registry cluster ID, which specifies the Schema Registry cluster scope. --ksql-cluster string ksqlDB cluster name, which specifies the ksqlDB cluster scope. + --flink-region string Flink region for the role binding, formatted as "cloud.region". --resource string Resource type and identifier using "Prefix:ID" format. If specified with "--role" and no principals, list all principals and role bindings. --inclusive List role bindings for specified scopes and nested scopes. Otherwise, list role bindings for the specified scopes. If scopes are unspecified, list only organization-scoped role bindings. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") From 8a19b87d1933d1c65cc81d10f47edb381a888cde Mon Sep 17 00:00:00 2001 From: Steven Gagniere Date: Mon, 1 Dec 2025 16:50:14 -0800 Subject: [PATCH 3/3] Add more integration tests --- .../role-binding/create-flink-developer-cloud.golden | 12 ++++++++++++ .../role-binding/list-flink-developer-cloud.golden | 3 +++ test/iam_test.go | 2 ++ test/test-server/iam_handlers.go | 2 ++ 4 files changed, 19 insertions(+) create mode 100644 test/fixtures/output/iam/rbac/role-binding/create-flink-developer-cloud.golden create mode 100644 test/fixtures/output/iam/rbac/role-binding/list-flink-developer-cloud.golden diff --git a/test/fixtures/output/iam/rbac/role-binding/create-flink-developer-cloud.golden b/test/fixtures/output/iam/rbac/role-binding/create-flink-developer-cloud.golden new file mode 100644 index 0000000000..0cd958fd61 --- /dev/null +++ b/test/fixtures/output/iam/rbac/role-binding/create-flink-developer-cloud.golden @@ -0,0 +1,12 @@ ++-----------------+----------------+ +| Principal | User:u-77ggg | +| Email | | +| Role | FlinkDeveloper | +| Environment | | +| Cloud Cluster | | +| Cluster Type | | +| Logical Cluster | | +| Resource Type | ComputePool | +| Name | lfcp-1111aaa | +| Pattern Type | LITERAL | ++-----------------+----------------+ diff --git a/test/fixtures/output/iam/rbac/role-binding/list-flink-developer-cloud.golden b/test/fixtures/output/iam/rbac/role-binding/list-flink-developer-cloud.golden new file mode 100644 index 0000000000..1e7d5996a6 --- /dev/null +++ b/test/fixtures/output/iam/rbac/role-binding/list-flink-developer-cloud.golden @@ -0,0 +1,3 @@ + Principal | Name | Email +---------------+------+-------- + User:u-777gg | | diff --git a/test/iam_test.go b/test/iam_test.go index 7b39d7dfd5..100ba69f81 100644 --- a/test/iam_test.go +++ b/test/iam_test.go @@ -50,6 +50,7 @@ func (s *CLITestSuite) TestIamRbacRoleBinding_Cloud() { {args: "iam rbac role-binding delete --principal User:u-11aaa --role EnvironmentAdmin --force", fixture: "iam/rbac/role-binding/missing-environment-cloud.golden", exitCode: 1}, {args: "iam rbac role-binding delete --principal User:u-11aaa --current-environment --cloud-cluster lkc-1111aaa", fixture: "iam/rbac/role-binding/delete-missing-role-cloud.golden", exitCode: 1}, {args: "iam rbac role-binding create --principal User:u-11aaa@confluent.io --role CloudClusterAdmin --current-environment --cloud-cluster lkc-1111aaa", fixture: "iam/rbac/role-binding/create-with-email-cloud.golden"}, + {args: "iam rbac role-binding create --principal User:u-77ggg --role FlinkDeveloper --environment env-596 --flink-region aws.us-east-1 --resource ComputePool:lfcp-1111aaa", fixture: "iam/rbac/role-binding/create-flink-developer-cloud.golden"}, } for _, test := range tests { @@ -78,6 +79,7 @@ func (s *CLITestSuite) TestIamRbacRoleBindingList_Cloud() { {args: "iam rbac role-binding list --principal User:u-41dxz3 --cluster pantsCluster", fixture: "iam/rbac/role-binding/list-failure-help-cloud.golden", exitCode: 1}, {args: "iam rbac role-binding list --environment env-596 --cloud-cluster lkc-1111aaa --role InvalidOrgAdmin", fixture: "iam/rbac/role-binding/list-invalid-role-error-type-1-cloud.golden", exitCode: 1}, {args: "iam rbac role-binding list --environment env-596 --cloud-cluster lkc-1111aaa --role InvalidMetricsViewer", fixture: "iam/rbac/role-binding/list-invalid-role-error-type-2-cloud.golden", exitCode: 1}, + {args: "iam rbac role-binding list --role FlinkDeveloper --environment env-596 --flink-region aws.us-east-1 --resource ComputePool:lfcp-1111aaa", fixture: "iam/rbac/role-binding/list-flink-developer-cloud.golden"}, } for _, test := range tests { diff --git a/test/test-server/iam_handlers.go b/test/test-server/iam_handlers.go index c2548072db..0c67c13560 100644 --- a/test/test-server/iam_handlers.go +++ b/test/test-server/iam_handlers.go @@ -54,6 +54,8 @@ var ( "crn://confluent.cloud/organization=abc-123/environment=env-596/cloud-cluster=lkc-1111aaa/ksql=ksql-cluster-name-2222bbb"), buildRoleBinding("rb-77ggg", "u-77ggg", "ResourceOwner", "crn://confluent.cloud/organization=abc-123/environment=env-596/schema-registry=lsrc-3333ccc/subject=clicks"), + buildRoleBinding("rb-777gg", "u-777gg", "FlinkDeveloper", + "crn://confluent.cloud/organization=abc-123/environment=env-596/flink-region=aws.us-east-1/compute-pool=lfcp-1111aaa"), } )