Skip to content

Commit 6671daa

Browse files
micheleRPclaude
andauthored
DOC-1936: Note SR authorization is on by default for Redpanda Cloud (#1694)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent dd145b9 commit 6671daa

2 files changed

Lines changed: 39 additions & 22 deletions

File tree

modules/manage/pages/schema-reg/schema-reg-api.adoc

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1151,7 +1151,12 @@ You can put either a single subject or the entire Schema Registry into import mo
11511151

11521152
To enable import mode, you must have:
11531153

1154+
ifndef::env-cloud[]
11541155
* Either superuser access, or a Schema Registry ACL with the `alter_configs` operation on the `registry` resource. See xref:manage:schema-reg/schema-reg-authorization.adoc#enable-schema-registry-authorization[Enable Schema Registry Authorization] to learn how to enable schema registry authorization for your cluster.
1156+
endif::[]
1157+
ifdef::env-cloud[]
1158+
* Either admin access, or a Schema Registry ACL with the `alter_configs` operation on the `registry` resource. See xref:manage:schema-reg/schema-reg-authorization.adoc[Schema Registry Authorization] for details on managing Schema Registry ACLs.
1159+
endif::[]
11551160
* An empty registry or subject. That is, either no schemas have ever been registered, or you must <<hard-delete-a-schema,hard-delete>> all schemas that were registered.
11561161
+
11571162
To bypass the check for an empty registry when setting the global mode to import:

modules/manage/pages/schema-reg/schema-reg-authorization.adoc

Lines changed: 34 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,15 @@ include::shared:partial$enterprise-license.adoc[]
1313
====
1414
endif::[]
1515

16+
ifdef::env-cloud[]
17+
[NOTE]
18+
====
19+
On BYOC and Dedicated clusters, Schema Registry Authorization is enabled by default. The xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`] cluster property is set to `true` automatically when the cluster is provisioned, and the predefined Admin, Writer, and Reader roles include Schema Registry permissions. See xref:security:authorization/rbac/rbac.adoc#predefined-roles[Predefined roles] for the operations granted by each role.
20+
21+
You do not need to enable Schema Registry Authorization manually. Use the rest of this page to learn how to define custom Schema Registry ACLs and roles for your users and applications.
22+
====
23+
endif::[]
24+
1625
== About Schema Registry Authorization
1726

1827
Schema Registry Authorization allows you to control which users and applications can perform specific operations within the Redpanda Schema Registry. This ensures that only authorized entities can read, write, modify, delete, or configure schemas and their settings.
@@ -28,10 +37,10 @@ You can manage Schema Registry Authorization in the following ways:
2837
- **rpk**: Use the xref:reference:rpk/rpk-security/rpk-security-acl-create.adoc[`rpk security acl create`] command, just like you would for other Kafka ACLs.
2938
- **Schema Registry API**: Use the link:/api/doc/schema-registry/operation/operation-get_security_acls[Redpanda Schema Registry API] endpoints.
3039
ifndef::env-cloud[]
31-
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[].
40+
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[].
3241
endif::[]
3342
ifdef::env-cloud[]
34-
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:security:/authorization/acl.adoc[].
43+
- **{ui}**: Use {ui} to manage Schema Registry ACLs. See xref:security:authorization/acl.adoc[].
3544
endif::[]
3645

3746
=== Schema Registry ACL resource types
@@ -402,39 +411,41 @@ Redpanda recommends using the topic naming strategy where subjects follow the pa
402411
Example: `--registry-subject "orders-" --resource-pattern-type prefixed` grants access to both `orders-key` and `orders-value` subjects.
403412
====
404413

405-
== Enable Schema Registry Authorization
414+
ifdef::env-cloud[]
415+
== Manage Schema Registry ACLs
406416

407417
=== Prerequisites
408418

409-
Before you can enable Schema Registry Authorization, you must have:
419+
Before you can create or manage Schema Registry ACLs, you must have:
410420

411-
ifndef::env-cloud[]
412-
* A valid Redpanda Enterprise license.
413-
endif::[]
414-
415-
ifdef::env-cloud[]
416421
* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[rpk installation].
422+
* Cluster administrator permissions to modify Schema Registry ACLs.
423+
For example, to delegate ACL management to the principal `schema_registry_admin`, run:
424+
+
425+
[,bash]
426+
----
427+
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
428+
----
417429
endif::[]
418430

419431
ifndef::env-cloud[]
420-
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
421-
endif::[]
432+
== Enable Schema Registry Authorization
422433

423-
ifndef::env-cloud[]
424-
* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:properties/broker-properties.adoc#schema-registry[Schema Registry broker properties].
425-
endif::[]
434+
=== Prerequisites
426435

427-
ifndef::env-cloud[]
428-
* If you have listeners configured for Schema Registry, ensure you xref:manage:security/authentication.adoc#basic-authentication[configure authentication] for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.
429-
endif::[]
436+
Before you can enable Schema Registry Authorization, you must have:
430437

438+
* A valid Redpanda Enterprise license.
439+
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
440+
* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:properties/broker-properties.adoc#schema-registry[Schema Registry broker properties].
441+
* If you have listeners configured for Schema Registry, ensure you xref:manage:security/authentication.adoc#basic-authentication[configure authentication] for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.
431442
* Cluster administrator permissions to modify cluster configurations.
432443
For example, to enable management of Schema Registry ACLs by the principal `schema_registry_admin`, run:
433-
+
434-
[,bash]
435-
----
436-
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
437-
----
444+
+
445+
[,bash]
446+
----
447+
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
448+
----
438449

439450
=== Enable authorization
440451

@@ -446,6 +457,7 @@ rpk cluster config set schema_registry_enable_authorization true
446457
----
447458

448459
For details, see xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`].
460+
endif::[]
449461

450462
== Create and manage Schema Registry ACLs
451463

0 commit comments

Comments
 (0)