-
Notifications
You must be signed in to change notification settings - Fork 52
Doc 1196: Document Feature - Schema Registry Authorization #1224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Changes from 24 commits
Commits
Show all changes
33 commits
Select commit
Hold shift + click to select a range
a851d42
DOC-1196 Draft
Feediver1 4408804
DOC-1196 acl update
Feediver1 c02508c
draft
Feediver1 693dda2
DOC-1196
Feediver1 7fa3543
adding to draft
Feediver1 be8b14d
drafting
Feediver1 b3718bc
revisions
Feediver1 537d113
wip
Feediver1 2a85959
wip
Feediver1 91696af
fixed order of cmd name
Feediver1 b74a7ac
fixed link
Feediver1 fa83219
wip
Feediver1 6233c7c
edits
Feediver1 fc22650
what's new
Feediver1 c30e1e9
Add create ACL to SR API usage doc
kbatuigas 1588049
Enclose license partial with admonition
kbatuigas 8e89d96
PR review feedback
Feediver1 1fcec6d
Apply suggestions from code review
Feediver1 edf82b2
merge conflicts
Feediver1 ab51aaa
tag fix
Feediver1 cd029f0
nit
Feediver1 175be22
wip
Feediver1 5fc4e0a
Update modules/manage/pages/schema-reg/schema-reg-api.adoc
kbatuigas 7fb2fa8
format change
Feediver1 84a70e5
review updates
Feediver1 a93c88a
review comments
Feediver1 ca7c6ba
comments
Feediver1 03924bf
missed one
Feediver1 1a9396f
Merge branch 'beta' into DOC-1196
Feediver1 f5516b7
resolve case issue
Feediver1 a9efe84
case fix
Feediver1 1be715f
Apply edit per suggestion
kbatuigas fdbeb93
Update modules/manage/pages/schema-reg/schema-reg-authorization.adoc
Feediver1 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -76,6 +76,49 @@ def pretty(text): | |||||
| base_uri = "http://localhost:8081" | ||||||
| ---- | ||||||
|
|
||||||
| == Manage Schema Registry ACLs | ||||||
|
|
||||||
| ifndef::env-cloud[] | ||||||
| [NOTE] | ||||||
| ==== | ||||||
| include::shared:partial$enterprise-license.adoc[] | ||||||
| ==== | ||||||
| endif::[] | ||||||
|
|
||||||
| You can use ACLs to control access to Schema Registry resources. You can define fine-grained access on a global level, for example, to allow a principal to read all schemas, or on a per-subject basis; for example, to read and write to only the schemas of a specific subject. | ||||||
|
Feediver1 marked this conversation as resolved.
Outdated
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
or you could make it into 2 bullets? |
||||||
|
|
||||||
| See xref:manage:schema-reg/schema-reg-authorization.adoc[] for more details on Schema Registry Authorization. | ||||||
|
|
||||||
| For example, to xref:api:ROOT:pandaproxy-schema-registry.adoc#post-/security/acls[create ACLs] that allow users with the `admin` role read-only access to all registered schemas, run: | ||||||
|
|
||||||
| [,bash] | ||||||
| ---- | ||||||
| curl -X POST "http://localhost:8081/security/acls" \ | ||||||
| -H "Content-Type: application/json" \ | ||||||
| -d '[ | ||||||
| { | ||||||
| "principal": "RedpandaRole:admin", | ||||||
| "resource": "*", | ||||||
| "resource_type": "REGISTRY", | ||||||
| "pattern_type": "LITERAL", | ||||||
| "host": "*", | ||||||
| "operation": "DESCRIBE_CONFIGS", | ||||||
|
Feediver1 marked this conversation as resolved.
|
||||||
| "permission": "ALLOW" | ||||||
| }, | ||||||
| { | ||||||
| "principal": "RedpandaRole:admin", | ||||||
| "resource": "*", | ||||||
| "resource_type": "SUBJECT", | ||||||
| "pattern_type": "LITERAL", | ||||||
| "host": "*", | ||||||
| "operation": "READ", | ||||||
| "permission": "ALLOW" | ||||||
| } | ||||||
| ]' | ||||||
| ---- | ||||||
|
|
||||||
| This creates two ACLs: one for registry-level read operations (such as reading global configuration) and another for subject-level read operations (such as reading schemas). | ||||||
|
|
||||||
| == Query supported schema formats | ||||||
|
|
||||||
| To get the supported data serialization formats in the Schema Registry, make a GET request to the `/schemas/types` endpoint: | ||||||
|
|
@@ -935,7 +978,7 @@ Curl:: | |||||
|
|
||||||
| == Use READONLY mode for disaster recovery | ||||||
|
|
||||||
| The `/mode` endpoint allows you to put Schema Registry in read-only or read-write mode. A read-only Schema Registry does not accept direct writes. An active production cluster can replicate schemas to a read-only Schema Registry to keep it in sync, for example using Redpanda's https://github.com/redpanda-data/schema-migration/[Schema Migration tool^]. Users in the disaster recovery (DR) site cannot update schemas directly, so the DR cluster has an exact replica of the schemas in production. In a failover due to a disaster or outage, you can set Schema Registry to read-write mode, taking over for the failed cluster and ensuring availability. | ||||||
| The `/mode` endpoint allows you to put Schema Registry in read-only or read-write mode. A read-only Schema Registry does not accept direct writes. An active production cluster can replicate schemas to a read-only Schema Registry to keep it in sync, for example using Redpanda's https://github.com/redpanda-data/schema-migration/[Schema Migration tool^]. Users in the disaster recovery (DR) site cannot update schemas directly, so the DR cluster has an exact replica of the schemas in production. In a failover due to a disaster or outage, you can set Schema Registry to read-write mode, taking over for the failed cluster and ensuring availability. | ||||||
|
|
||||||
| If authentication is enabled on Schema Registry, only superusers can change global and subject-level modes. | ||||||
|
|
||||||
|
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.