SQL: OIDC and access management

[kbatuigas]

Description

This pull request introduces comprehensive documentation for Redpanda SQL's user and access management features, including new reference pages for user lifecycle statements and privilege management, as well as a guide for connecting with OpenID Connect (OIDC). It also updates the navigation to surface these new topics and ensure users can easily find information about authentication and authorization.

New user and access management documentation:

• Added reference pages for the CREATE USER, ALTER USER, and DROP USER SQL statements, detailing syntax, usage, and examples for managing Redpanda SQL users. [1] [2] [3]
• Added reference pages for the GRANT and REVOKE SQL statements, covering privilege assignment and removal on various database objects, including external sources and schemas. [1] [2]

OIDC authentication documentation:

• Added a new how-to guide, connect-with-oidc.adoc, describing how to authenticate to Redpanda SQL using OIDC bearer tokens or client credentials, with step-by-step instructions and code examples for multiple clients.

Navigation and discoverability improvements:

• Updated nav.adoc to include links to the new OIDC connection guide, user management, and privilege management topics, making these features easier to find in the documentation. [1] [2]

Resolves https://github.com/redpanda-data/documentation-private/issues/
Review deadline: 21 May

Page previews

Redpanda SQL > Connect to RP SQL > Authenticate to Redpanda SQL
Redpanda SQL > Manage RP SQL > Manage Access
Reference > Redpanda SQL Reference > Statements > CREATE USER
Reference > Redpanda SQL Reference > Statements > ALTER USER
Reference > Redpanda SQL Reference > Statements > DROP USER
Reference > Redpanda SQL Reference > Statements > GRANT
Reference > Redpanda SQL Reference > Statements > REVOKE

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	9efe878
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6a0e8a25af21230008634fe4
😎 Deploy Preview	https://deploy-preview-580--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: be945716-030d-48ee-9d20-6506a736ff8d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DOC-1999-document-feature-oxla-oidc-authn-support

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kbatuigas]

For SME: please confirm if this is correct and relevant

[grzebiel]

👍

[kbatuigas]

Should this be removed? It appears that this just targets "native" tables. Is the correct syntax for RP tables supposed to be like this example instead? Or is it GRANT SELECT ON TABLE default_redpanda_catalog=>'orders' TO "alice@example.com";?

[Feediver1]

PR Review: SQL: OIDC and access management (#580)

Files reviewed: 7 new .adoc files + nav update (621 additions, 0 deletions)
Overall assessment: The final piece of the SQL GA series. paulzhang97's three engineer concerns all addressed in the current diff. Same broken-sibling-xref / no-What's-New pattern as the rest of the series. Two outstanding SME confirmations and four // TODO markers warrant a quick triage before merge.

What this PR does

Adds the user, authentication, and access-management surface for Redpanda SQL on the rp-sql integration branch:

• modules/sql/pages/connect-to-sql/authenticate.adoc (new, 155 lines) — how-to: connect to Redpanda SQL with an OIDC bearer token, OIDC client credentials, or a SCRAM password for legacy clients. Includes psql + psycopg2 examples and TLS / reconnect-on-token-expiry guidance.
• modules/sql/pages/manage/manage-access.adoc (new, 110 lines) — concept: separates authentication (OIDC by default) from authorization (SQL: Manage vs SQL: Access data-plane RBAC roles + per-user GRANT/REVOKE against catalogs and tables), and explains why Kafka ACLs don't gate query-time access.
• modules/reference/pages/sql/sql-statements/create-user.adoc, alter-user.adoc, drop-user.adoc (3 new files, 147 lines combined) — SQL statement references for user lifecycle.
• modules/reference/pages/sql/sql-statements/grant.adoc, revoke.adoc (2 new files, 202 lines combined) — privilege management for tables, external sources (catalogs and storage), and schemas.
• modules/ROOT/nav.adoc — wires the new pages into the nav tree.

Jira ticket alignment

Ticket: DOC-1999 — "Document feature Oxla OIDC authn support" (extracted from branch name).

Status: Covers everything the ticket implies and goes beyond OIDC alone — adds the full authentication-mode taxonomy (bearer / client credentials / SCRAM-for-legacy), the authorization model (RBAC roles + SQL grants), and the user-lifecycle and grant/revoke statement references. Paulzhang97's three engineering corrections are all reflected in the current diff. ✓

Critical issues (must fix)

1. Two broken xrefs to sibling-PR targets (verified missing on rp-sql):

   File:line	xref target	Provided by
   authenticate.adoc:17	sql:get-started/deploy-sql-cluster.adoc[Enable Redpanda SQL] (Prerequisites)	PR #571 (still OPEN)
   authenticate.adoc:50	sql:get-started/sql-quickstart.adoc[Quickstart] (bearer-token section)	PR #571 (still OPEN)

   • Fix: Same as the rest of the SQL GA series — both resolve once #571 lands on rp-sql. Coordinate merge ordering so all four PRs (#571, #574, #575, #580) land before rp-sql lands on main.

2. Missing What's New entry. Fourth PR in the SQL GA series with no entry in modules/get-started/pages/whats-new-cloud.adoc. As noted across the series, a single coordinated "Redpanda SQL: General availability" entry should announce the whole release.

   • Fix: Add the announcement once before any of #571 / #574 / #575 / #580 lands.

Suggestions (should consider)

1. Four // TODO markers in the source flag unresolved SME questions. They won't render (AsciiDoc comments), but two of them are content-blocking risk if left unanswered before GA publish:

   File:line	TODO	Recommended action
   manage-access.adoc:28	"Confirm validated IdP coverage with engineering (qa-questions.md #16). Add an 'IdPs validated for Redpanda SQL' section listing the providers engineering has explicitly tested (Keycloak is confirmed; Okta, Microsoft Entra ID, Auth0, and Google have not yet been confirmed for SQL)."	Resolve before publish — readers will ask "is my IdP supported?"
   authenticate.adoc:82	"OXLA-9382 (concurrent first-time login via connection pool produces duplicate role entries in the distributed catalog) is marked Done in Jira but has no fixVersions set. Confirm with SME the fix is in the GA 2026-05-22 build before publishing this note. If confirmed in GA, delete this comment. If NOT confirmed, restore the user-facing NOTE below."	Resolve before publish — if the bug ships in GA, the NOTE block (already drafted in the comment) needs to render to users.
   authenticate.adoc:110	"Reconcile token-endpoint timeout. The RFC says 5s but oxla/src/net/http/http_client.h defaults to 10s."	Lower priority — internal accuracy detail. Decide before GA whether 5s or 10s is authoritative and write the correct value.
   authenticate.adoc:146	"Confirm the correct cross-link for the cluster SSL mode setting in Redpanda Cloud."	Lower priority — the surrounding sentence reads fine without it, but the cross-link adds value.

2. Two unresolved inline review threads from Kat to SMEs:

   • manage-access.adoc:24 — "For SME: please confirm if this is correct and relevant." This is the Authentication paragraph at line 24 of the current file ("Redpanda Cloud preconfigures the SQL engine's OIDC settings when SQL is enabled on the cluster…"). Needs SME sign-off that the auto-configuration claim is accurate.
   • grant.adoc:38 — Kat asks whether the ON TABLE table_name form (Grant on a table) is for native SQL tables only, with Redpanda topic grants needing the ON EXTERNAL SOURCE catalog=>pattern form instead. The current grant.adoc keeps both forms documented under separate === Grant on a table and === Grant on an external source subheadings, which is the right shape if both are valid — but the SME confirmation is still pending.

3. glossterm: use is inconsistent across the two main content pages:

   • authenticate.adoc uses glossterm:OpenID Connect (OIDC)[] (line 6) and glossterm:bearer token[] (line 42) — good.

   • manage-access.adoc mentions OIDC, RBAC, and ACLs (all on first mention in this page's scope) without glossterm:.

   • Suggested: Add glossterm: on the first OIDC mention in manage-access.adoc:11 for consistency. RBAC and ACL on first mention are weaker candidates — the team's glossterm list is what should govern.

4. Em-dash check is clean for rendered content. One em dash exists in authenticate.adoc:111, but it's inside a // TODO comment quoting RFC text, so it doesn't render. Skip.

Impact on other files

• modules/ROOT/nav.adoc ✓ — already includes all the new pages.
• modules/get-started/pages/whats-new-cloud.adoc ❌ — no SQL GA entry (Critical #2).
• Cross-component xrefs verified:
  • xref:security:authorization/rbac/rbac_dp.adoc ✓
  • xref:sql:connect-to-sql/index.adoc ✓
  • All intra-PR xrefs (between manage-access, authenticate, grant, revoke, user lifecycle pages) ✓
  • Only the two xref:sql:get-started/* references above are unresolved.
• Cross-page consistency with sibling PRs:
  • manage-access.adoc describes the SQL: Manage / SQL: Access split that query-streaming-topics.adoc (PR #574) refers to in its prerequisites — wording is consistent.
  • The default_redpanda_catalog=>'orders' syntax used in grant examples here matches what's used in query-iceberg-topics.adoc (PR #575) and query-streaming-topics.adoc (PR #574). ✓
  • ALTER USER ... WITH PASSWORD for legacy clients is documented in this PR's alter-user.adoc and used in authenticate.adoc's SCRAM section — consistent.

CodeRabbit findings worth considering

None. CodeRabbit's check passed with no actionable findings.

Outstanding review activity (not findings — just status)

• paulzhang97's three engineering corrections (May 19) are all reflected in the current diff:
  • auth_method=bearer now correctly written as '-c auth_method=bearer'. ✓
  • auth_method=client_secret now '-c auth_method=client_secret'. ✓
  • oidc.require_tls bullet removed. ✓
• No formal APPROVED review yet — reviewDecision is empty. With paulzhang97's concerns addressed, the PR is awaiting a follow-up sign-off.

What works well

• Clean separation of concerns: authenticate.adoc is client-side (how a user/client connects), manage-access.adoc is admin-side (how an admin grants access). Each page links to the other.
• "How queries reach the underlying topics" section in manage-access.adoc is genuinely valuable — it explains why Kafka ACLs don't gate query-time reads (single internal SASL credential for the catalog), so admins can reason about the security boundary correctly.
• Three-mode authentication table in authenticate.adoc succinctly distinguishes bearer / client-credentials / SCRAM with concrete "when to use" guidance.
• Multiple language-client examples for bearer-token connections — psql shell + Python psycopg2. The Python example explicitly notes that current_user resolves to the token principal, not "ignored".
• ALTER USER ... WITH PASSWORD persistence behavior is correctly documented: the Cloud user reconciler doesn't reset passwords on its own, but does revoke CONNECT if the data-plane role is removed.
• "Reconnect when a token expires" section addresses the OIDC short-lived-token operational reality — sessions persist past token expiry, but new connections need a fresh token.
• grant.adoc cleanly separates ON TABLE vs ON EXTERNAL SOURCE forms with worked examples for each, including the wildcard =>'orders_*' and the catalog-level (no-pattern) form, plus the documented "wildcard only at end of pattern" constraint.
• "Schema-level privileges" subsection in manage-access.adoc covers USAGE and CREATE ON SCHEMA.
• glossterm: macro used on first mention of OIDC and "bearer token" in authenticate.adoc. ✓
• All H2+ headings in sentence case; H1s in title case or all-caps SQL keywords. ✓
• No em dashes in rendered content.
• All code blocks have explicit language tags ([source,sql], [source,bash], [source,python]). ✓
• CI fully green and the Netlify preview links cover all the new pages.

---

Final-pass review via /docs-team-standards:pr-review.

[Feediver1]

@kbatuigas Ping me after you get SME approvals and I will do another pass.

[grzebiel]

fix the -c that is not present anymore. Rest LGTM

[grzebiel]

But our cloud operator does that autmaticaly. The requirement is that user is given access to oxla via RBAC

[grzebiel]

Do we want to describe this? The cloud setup is configured correctly, client is not exposed to that options.

[grzebiel]

shall we include here the rpk command to acquire the token? PGPASSWORD=$(rpk cloud auth token)

[grzebiel]

this is not an issue since the logic of replicating users to oxla is moved to cloud operator

[grzebiel]

This is implementation detail. Doesn't touch user at all

[grzebiel]

Suggested change

	options="-c auth_method=bearer",
	options="auth_method=bearer",

[grzebiel]

should we also add rpk command for acquiring the token here?

[grzebiel]

Suggested change

	Set `options='-c auth_method=client_secret'`, pass the Redpanda Cloud service account's client ID in `user=`, and the client secret in the password field. The resolved principal becomes the session identity.
	Set `options='auth_method=client_secret'`, pass the Redpanda Cloud service account's client ID in `user=`, and the client secret in the password field. The resolved principal becomes the session identity.

[grzebiel]

Suggested change

	psql "host=<sql-host> port=<sql-port> dbname=oxla user=<client-id> options='-c auth_method=client_secret' sslmode=require"
	psql "host=<sql-host> port=<sql-port> dbname=oxla user=<client-id> options='auth_method=client_secret' sslmode=require"

[grzebiel]

👍