redpanda-data · nguyen-andrew · Jan 7, 2026 · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/proto/redpanda/core/admin/v2/BUILD b/proto/redpanda/core/admin/v2/BUILD
@@ -104,6 +104,8 @@ proto_library(
     deps = [
         "//proto/redpanda/core/pbgen:options_proto",
         "//proto/redpanda/core/pbgen:rpc_proto",
+        "@googleapis//google/api:field_behavior_proto",
+        "@googleapis//google/api:resource_proto",
         "@protobuf//:timestamp_proto",
     ],
 )

@@ -18,12 +18,83 @@ package redpanda.core.admin.v2;
 
 import "proto/redpanda/core/pbgen/options.proto";
 import "proto/redpanda/core/pbgen/rpc.proto";
+import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
 import "google/protobuf/timestamp.proto";
 
 option (pbgen.cpp_namespace) = "proto::admin";
 
 // The SecurityService provides security-related operations.
 service SecurityService {
+    // CreateRole
+    //
+    // Create a new Role resource.
+    rpc CreateRole(CreateRoleRequest) returns (CreateRoleResponse) {
+        option (pbgen.rpc) = {
+            authz: SUPERUSER
+        };
+    }
+
+    // GetRole
+    //
+    // Retrieve a Role resource by name.
+    rpc GetRole(GetRoleRequest) returns (GetRoleResponse) {
+        option (pbgen.rpc) = {
+            authz: SUPERUSER
+        };
+    }
+
+    // ListRoles
+    //
+    // List all Role resources.
+    rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
+        option (pbgen.rpc) = {
+            authz: SUPERUSER
+        };
+    }
+
+    // AddRoleMembers
+    //
+    // Add members to a Role. If any members are already part of the role, they
+    // are ignored. Returns the updated Role resource.
+    rpc AddRoleMembers(AddRoleMembersRequest) returns (AddRoleMembersResponse) {
+        option (pbgen.rpc) = {
+            authz: SUPERUSER
+        };
+    }
+
+    // RemoveRoleMembers
+    //
+    // Remove members from a Role. If any members are not part of the role, they
+    // are ignored. Returns the updated Role resource.
+    rpc RemoveRoleMembers(RemoveRoleMembersRequest)
+        returns (RemoveRoleMembersResponse) {
+        option (pbgen.rpc) = {
+            authz: SUPERUSER
+        };
+    }
+
+    // DeleteRole
+    //
+    // Delete a Role resource by name.
+    rpc DeleteRole(DeleteRoleRequest) returns (DeleteRoleResponse) {
+        option (pbgen.rpc) = {
+            authz: SUPERUSER
+        };
+    }
+
+    // ListCurrentUserRoles
+    //
+    // Gets a list of Role names that the current authenticated user is a member
+    // of on the current Redpanda broker.  This is useful for clients to
+    // determine their own permissions.
+    rpc ListCurrentUserRoles(ListCurrentUserRolesRequest)
+        returns (ListCurrentUserRolesResponse) {
+        option (pbgen.rpc) = {
+            authz: USER
+        };
+    }
+
     // ResolveOidcIdentity
     //
     // Validate an `Authorization` header `Bearer` token and return the mapped
@@ -63,10 +134,140 @@ service SecurityService {
 /* Resources */
 // =============================================
 
+// The Role resource represents a security role with associated members.
+message Role {
+    option (google.api.resource) = {
+        type: "redpanda.core.admin.SecurityService/Role"
+        pattern: "roles/{role}"
+    };
+
+    // The name of the Role.
+    string name = 1 [
+        (google.api.field_behavior) = REQUIRED,
+        (google.api.field_behavior) = IMMUTABLE
+    ];
+
+    // The members of the Role.
+    repeated RoleMember members = 2;
+}
+
 // =============================================
 /* RPC Requests and Responses */
 // =============================================
 
+// CreateRoleRequest is the request for the CreateRole RPC.
+message CreateRoleRequest {
+    // The Role to create.
+    Role role = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// CreateRoleResponse is the response from the CreateRole RPC.
+message CreateRoleResponse {
+    // The created Role.
+    Role role = 1;
+}
+
+// GetRoleRequest is the request for the GetRole RPC.
+message GetRoleRequest {
+    // The name of the Role to retrieve.
+    string name = 1 [
+        (google.api.field_behavior) = REQUIRED,
+        (google.api.resource_reference) = {
+            type: "redpanda.core.admin.SecurityService/Role"
+        }
+    ];
+}
+
+// GetRoleResponse is the response from the GetRole RPC.
+message GetRoleResponse {
+    // The requested Role.
+    Role role = 1;
+}
+
+// ListRolesRequest is the request for the ListRoles RPC.
+message ListRolesRequest {}
+
+// ListRolesResponse is the response from the ListRoles RPC.
+message ListRolesResponse {
+    // The list of Roles.
+    repeated Role roles = 1;
+}
+
+// AddRoleMembersRequest is the request for the AddRoleMembers RPC.
+message AddRoleMembersRequest {
+    // The name of the Role to add members to.
+    string role_name = 1 [
+        (google.api.field_behavior) = REQUIRED,
+        (google.api.resource_reference) = {
+            type: "redpanda.core.admin.SecurityService/Role"
+        }
+    ];
+
+    // The members to add to the Role. If any members are already part of the
+    // role, they are ignored.
+    repeated RoleMember members = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// AddRoleMembersResponse is the response from the AddRoleMembers RPC.
+message AddRoleMembersResponse {
+    // The updated Role.
+    Role role = 1;
+}
+
+// RemoveRoleMembersRequest is the request for the RemoveRoleMembers RPC.
+message RemoveRoleMembersRequest {
+    // The name of the Role to remove members from.
+    string role_name = 1 [
+        (google.api.field_behavior) = REQUIRED,
+        (google.api.resource_reference) = {
+            type: "redpanda.core.admin.SecurityService/Role"
+        }
+    ];
+
+    // The members to remove from the Role. If any members are already not part
+    // of the role, they are ignored.
+    repeated RoleMember members = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// RemoveRoleMembersResponse is the response from the RemoveRoleMembers RPC.
+message RemoveRoleMembersResponse {
+    // The updated Role.
+    Role role = 1;
+}
+
+// DeleteRoleRequest is the request for the DeleteRole RPC.
+message DeleteRoleRequest {
+    // The name of the Role to delete.
+    string name = 1 [
+        (google.api.field_behavior) = REQUIRED,
+        (google.api.resource_reference) = {
+            type: "redpanda.core.admin.SecurityService/Role"
+        }
+    ];
+
+    // Whether to also delete any ACLs associated with this role.
+    bool delete_acls = 2;
+}
+
+// DeleteRoleResponse is the response from the DeleteRole RPC.
+message DeleteRoleResponse {}
+
+// ListCurrentUserRolesRequest is the request for the ListCurrentUserRoles RPC.
+message ListCurrentUserRolesRequest {}
+
+// ListCurrentUserRolesResponse is the response from the ListCurrentUserRoles
+// RPC.
+message ListCurrentUserRolesResponse {
+    // The list of Role names that the current authenticated user is a member
+    // of.
+    repeated string roles = 1 [
+        (google.api.field_behavior) = OUTPUT_ONLY,
+        (google.api.resource_reference) = {
+            type: "redpanda.core.admin.SecurityService/Role"
+        }
+    ];
+}
+
 // ResolveOidcIdentityRequest is the request for the ResolveOidcIdentity RPC.
 message ResolveOidcIdentityRequest {}
 
@@ -93,4 +294,18 @@ message RevokeOidcSessionsResponse {}
 
 // =============================================
 /* Other Messages */
-// =============================================
+// =============================================
+
+// RoleUser represents a user member of a Role.
+message RoleUser {
+    // The name of the user.
+    string name = 1;
+}
+
+// RoleMember represents a member of a Role.
+message RoleMember {
+    // The member data.
+    oneof member {
+        RoleUser user = 1;
+    }
+}
diff --git a/src/v/redpanda/admin/services/BUILD b/src/v/redpanda/admin/services/BUILD
@@ -52,15 +52,16 @@ redpanda_cc_library(
     srcs = ["security.cc"],
     hdrs = ["security.h"],
     implementation_deps = [
+        ":utils",
         "//src/v/redpanda/admin/proxy:context",
-        "//src/v/security",
         "//src/v/security:request_auth",
     ],
     deps = [
         "//proto/redpanda/core/admin/v2:security_redpanda_proto",
         "//src/v/cluster",
         "//src/v/kafka/server",
         "//src/v/redpanda/admin/proxy:client",
+        "//src/v/security",
         "//src/v/serde/protobuf:rpc",
         "@seastar",
     ],