FIND-20260401-001 · 2026-04-01 · Innovation Veille
Redpanda v26.1.1 — Group-Based Access Control with OIDC token claims
release
HIGH
Redpanda 26.1.1 (released 2026-03-31) introduces Group-Based Access Control (GBAC) that maps roles to groups provided by an OIDC Identity Provider, eliminating per-user permission management at cluster level. Also adds Cloud Topics Level Zero garbage collection with sharded workers, SCRAM credential management in Admin API v2, Schema Registry metadata improvements, and Iceberg catalog fixes. This is a major leap for ODS multi-tenant streaming security.
Source
https://github.com/redpanda-data/redpanda/releases/tag/v26.1.1
ODS Impact
Directly impacts ODS Redpanda event bus (P0). GBAC with OIDC token claims aligns perfectly with ODS multi-tenant architecture using OID as IdP. New rpk security group commands can map ODS tenant roles to Redpanda ACLs automatically. SCRAM Admin API v2 enables programmatic credential provisioning per tenant.
Security Review
License: BSL-1.1 (Redpanda source) / Apache-2.0 (clients) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE
Tags
redpanda
kafka
oidc
multi-tenant
authorization
event-driven
release