DOC-1347 Document principalMapping configuration for Redpanda Console OIDC auth

[JakeSCahill]

Description

Resolves https://redpandadata.atlassian.net/browse/DOC-1347
Review deadline: June 13

This pull request updates multiple Redpanda Console configuration documentation files to improve clarity and consistency, with a focus on authentication, authorization, and other configuration topics. Key changes include renaming page titles for better context, adding new configuration options for OIDC authentication, and introducing detailed examples for principal mappings.

Documentation updates and improvements:

• Page title updates for clarity: Updated titles across several configuration files (e.g., connect-to-redpanda.adoc, http-path-rewrites.adoc, authentication.adoc, authorization.adoc, tls-termination.adoc, topic-documentation.adoc) to include "in Redpanda Console" for better context. [1] [2] [3] [4] [5] [6]

Authentication enhancements:

• New principalMapping option for OIDC: Added the principalMapping configuration option to map and transform OIDC token claims into user identities for role bindings. Detailed examples and syntax explanations are provided, including regex-based transformations. [1] [2]

Authorization refinements:

• Authorization overview moved: Moved the "Authorization overview" section from authentication.adoc to authorization.adoc for better organization and alignment with related content. [1] [2]

Related references:

• Cross-references added: Added links to related topics, such as OIDC authentication and Kubernetes authentication, in the cluster-properties.adoc file to improve discoverability.

Page previews

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The changes are limited to documentation updates across several files. The main update is the addition and documentation of a new principalMapping configuration option for OpenID Connect (OIDC) authentication in Redpanda Console. This feature allows administrators to transform and map identity claims from OIDC tokens to user names used in role bindings. Detailed explanations and examples of the principalMapping syntax and usage are provided. Other changes include clarifications, title updates to specify "in Redpanda Console," and minor corrections or rewordings for clarity. No code or logic changes were made.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant RedpandaConsole
    participant OIDCProvider

    User->>RedpandaConsole: Initiate OIDC login
    RedpandaConsole->>OIDCProvider: Redirect for authentication
    OIDCProvider->>User: Prompt for credentials
    User->>OIDCProvider: Provide credentials
    OIDCProvider->>RedpandaConsole: Return OIDC token
    RedpandaConsole->>RedpandaConsole: Apply principalMapping to token claim
    RedpandaConsole->>RedpandaConsole: Map to internal username
    RedpandaConsole->>RedpandaConsole: Check role bindings for username
    RedpandaConsole-->>User: Grant/deny access based on authorization

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Document new principal mapping config for Console (DOC-1347)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes were found.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	9674c47
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6852a769fa8b9f000814c9d3
😎 Deploy Preview	https://deploy-preview-1158--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

modules/reference/pages/properties/cluster-properties.adoc (1)

4097-4100: Use - for bullets in Related topics.

Unordered lists in this file consistently use - for list items. Update the new section to match existing style:

 *Related topics*:
-* xref:manage:security/authentication.adoc#oidc[OpenID Connect authentication]
-* xref:manage:kubernetes/security/authentication/k-authentication.adoc[OpenID Connect authentication in Kubernetes]
+*Related topics*:
+ - xref:manage:security/authentication.adoc#oidc[OpenID Connect authentication]
+ - xref:manage:kubernetes/security/authentication/k-authentication.adoc[OpenID Connect authentication in Kubernetes]

modules/console/pages/config/security/authorization.adoc (1)

234-293: Document principalMapping transformation feature

The new section comprehensively explains how to transform OIDC claims using JSONPath, regex, replacement, and modifiers. Consider renaming the heading to === `principalMapping` transformation syntax to match code formatting conventions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 93ada16 and e7f9d7e.

📒 Files selected for processing (7)

• modules/console/pages/config/connect-to-redpanda.adoc (1 hunks)
• modules/console/pages/config/http-path-rewrites.adoc (1 hunks)
• modules/console/pages/config/security/authentication.adoc (2 hunks)
• modules/console/pages/config/security/authorization.adoc (5 hunks)
• modules/console/pages/config/security/tls-termination.adoc (1 hunks)
• modules/console/pages/config/topic-documentation.adoc (1 hunks)
• modules/reference/pages/properties/cluster-properties.adoc (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Redirect rules - redpanda-docs-preview
• GitHub Check: Header rules - redpanda-docs-preview
• GitHub Check: run-tests (ubuntu-latest)
• GitHub Check: Pages changed - redpanda-docs-preview

🔇 Additional comments (12)

modules/console/pages/config/topic-documentation.adoc (1)

1-1: Consistent title update
Changed the document title to “Enable Topic Documentation in Redpanda Console” to match the naming convention used across other Console configuration pages.

modules/console/pages/config/security/tls-termination.adoc (1)

1-1: Consistent title update
Updated the title to “TLS Termination in Redpanda Console,” aligning it with the standardized naming scheme for Console docs.

modules/console/pages/config/http-path-rewrites.adoc (1)

1-1: Consistent title update
Revised the title to “HTTP Path Rewrites in Redpanda Console” for uniformity across Console configuration guides.

modules/console/pages/config/connect-to-redpanda.adoc (1)

1-1: Title clarifies console context

The updated title explicitly states that this document configures Redpanda Console, improving clarity.

modules/console/pages/config/security/authentication.adoc (4)

1-1: Title updated to specify Console context

Changing the title to include "in Redpanda Console" aligns it with other security docs and clarifies scope.

---

118-119: Add principalMapping option to OIDC config

The new principalMapping field (defaulting to $.sub) and its explanatory footnote clearly describe how to map and transform claims for role bindings.

Also applies to: 132-132

---

121-121: Fix spacing in JWT signing key description

The <1> footnote now correctly includes a space before the variable example, improving readability.

---

128-131: Clarify optional TLS and redirect settings

Footnotes <8>–<11> have been reworded for clarity on TLS config, redirect URL, and OAuth prompts. Clear and concise.

modules/console/pages/config/security/authorization.adoc (4)

1-1: Title updated to specify Console context

Renaming to "Authorization in Redpanda Console" aligns with the authentication doc and clarifies the scope.

---

11-11: Clarify distinction between authentication and authorization

The updated line clearly differentiates login from post-login permissions, improving the introduction.

---

77-78: Enable OIDC in static service account example

Adding oidc: enabled: true ensures consistency with the authentication overview and allows OIDC UI login in this mode.

---

106-106: Refine impersonation note in collapsible section

The revised note explicitly states that console roles are ignored when impersonation is enabled, reinforcing expected behavior.

[weeco]

WDYT about mentioning that this defaults to $.sub which just extracts the sub claim as is, without transforming the value. I think this makes the syntax a little clearer than saying "the sub claim by default".

[weeco]

Great explanation. Good that we include it, since it's very custom, but powerful!

[micheleRP]

Suggest adding glossterm for RBAC on authorization & authentication pages.

[micheleRP]

lgtm