You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/manage/pages/schema-reg/schema-reg-api.adoc
+5Lines changed: 5 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1151,7 +1151,12 @@ You can put either a single subject or the entire Schema Registry into import mo
1151
1151
1152
1152
To enable import mode, you must have:
1153
1153
1154
+
ifndef::env-cloud[]
1154
1155
* Either superuser access, or a Schema Registry ACL with the `alter_configs` operation on the `registry` resource. See xref:manage:schema-reg/schema-reg-authorization.adoc#enable-schema-registry-authorization[Enable Schema Registry Authorization] to learn how to enable schema registry authorization for your cluster.
1156
+
endif::[]
1157
+
ifdef::env-cloud[]
1158
+
* Either admin access, or a Schema Registry ACL with the `alter_configs` operation on the `registry` resource. See xref:manage:schema-reg/schema-reg-authorization.adoc[Schema Registry Authorization] for details on managing Schema Registry ACLs.
1159
+
endif::[]
1155
1160
* An empty registry or subject. That is, either no schemas have ever been registered, or you must <<hard-delete-a-schema,hard-delete>> all schemas that were registered.
1156
1161
+
1157
1162
To bypass the check for an empty registry when setting the global mode to import:
On BYOC and Dedicated clusters, Schema Registry Authorization is enabled by default. The xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`] cluster property is set to `true` automatically when the cluster is provisioned, and the predefined Admin, Writer, and Reader roles include Schema Registry permissions. See xref:security:authorization/rbac/rbac.adoc#predefined-roles[Predefined roles] for the operations granted by each role.
20
+
21
+
You do not need to enable Schema Registry Authorization manually. Use the rest of this page to learn how to define custom Schema Registry ACLs and roles for your users and applications.
22
+
====
23
+
endif::[]
24
+
16
25
== About Schema Registry Authorization
17
26
18
27
Schema Registry Authorization allows you to control which users and applications can perform specific operations within the Redpanda Schema Registry. This ensures that only authorized entities can read, write, modify, delete, or configure schemas and their settings.
@@ -28,10 +37,10 @@ You can manage Schema Registry Authorization in the following ways:
28
37
- **rpk**: Use the xref:reference:rpk/rpk-security/rpk-security-acl-create.adoc[`rpk security acl create`] command, just like you would for other Kafka ACLs.
29
38
- **Schema Registry API**: Use the link:/api/doc/schema-registry/operation/operation-get_security_acls[Redpanda Schema Registry API] endpoints.
30
39
ifndef::env-cloud[]
31
-
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[].
40
+
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[].
32
41
endif::[]
33
42
ifdef::env-cloud[]
34
-
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:security:/authorization/acl.adoc[].
43
+
- **{ui}**: Use {ui} to manage Schema Registry ACLs. See xref:security:authorization/acl.adoc[].
35
44
endif::[]
36
45
37
46
=== Schema Registry ACL resource types
@@ -402,39 +411,41 @@ Redpanda recommends using the topic naming strategy where subjects follow the pa
402
411
Example: `--registry-subject "orders-" --resource-pattern-type prefixed` grants access to both `orders-key` and `orders-value` subjects.
403
412
====
404
413
405
-
== Enable Schema Registry Authorization
414
+
ifdef::env-cloud[]
415
+
== Manage Schema Registry ACLs
406
416
407
417
=== Prerequisites
408
418
409
-
Before you can enable Schema Registry Authorization, you must have:
419
+
Before you can create or manage Schema Registry ACLs, you must have:
410
420
411
-
ifndef::env-cloud[]
412
-
* A valid Redpanda Enterprise license.
413
-
endif::[]
414
-
415
-
ifdef::env-cloud[]
416
421
* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[rpk installation].
422
+
* Cluster administrator permissions to modify Schema Registry ACLs.
423
+
For example, to delegate ACL management to the principal `schema_registry_admin`, run:
424
+
+
425
+
[,bash]
426
+
----
427
+
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
428
+
----
417
429
endif::[]
418
430
419
431
ifndef::env-cloud[]
420
-
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
421
-
endif::[]
432
+
== Enable Schema Registry Authorization
422
433
423
-
ifndef::env-cloud[]
424
-
* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:properties/broker-properties.adoc#schema-registry[Schema Registry broker properties].
425
-
endif::[]
434
+
=== Prerequisites
426
435
427
-
ifndef::env-cloud[]
428
-
* If you have listeners configured for Schema Registry, ensure you xref:manage:security/authentication.adoc#basic-authentication[configure authentication] for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.
429
-
endif::[]
436
+
Before you can enable Schema Registry Authorization, you must have:
430
437
438
+
* A valid Redpanda Enterprise license.
439
+
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
440
+
* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:properties/broker-properties.adoc#schema-registry[Schema Registry broker properties].
441
+
* If you have listeners configured for Schema Registry, ensure you xref:manage:security/authentication.adoc#basic-authentication[configure authentication] for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.
431
442
* Cluster administrator permissions to modify cluster configurations.
432
443
For example, to enable management of Schema Registry ACLs by the principal `schema_registry_admin`, run:
433
-
+
434
-
[,bash]
435
-
----
436
-
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
437
-
----
444
+
+
445
+
[,bash]
446
+
----
447
+
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
448
+
----
438
449
439
450
=== Enable authorization
440
451
@@ -446,6 +457,7 @@ rpk cluster config set schema_registry_enable_authorization true
446
457
----
447
458
448
459
For details, see xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`].
0 commit comments