.. _confluentsecurityplugins_schema_registry_authorization:

Schema Registry Authorization
=============================

The Schema Registry security plugin provides authorization for various Schema Registry operations.
Operations that are supported by the authorizers together with their corresponding Schema
Registry URIs are listed below

.. _confluentsecurityplugins_sr_operations:
================================ =============================================================================
 **SCHEMA REGISTRY OPERATION**                         **RESOURCE**
-------------------------------- -----------------------------------------------------------------------------
  SUBJECT_READ                    .. http:get:: /subjects/(string: subject)/versions
                                  .. http:get:: /subjects/(string: subject)/versions/(versionId:version)
  SUBJECT_WRITE                   .. http:post:: /subjects/(string: subject)/versions
                                  .. http:post:: /subjects/(string: subject)
                                  .. http:post:: /compatibility/subjects/(string: subject)/versions/(versionId: version)
  SUBJECT_DELETE                  .. http:delete:: /subjects/(string: subject)/versions/(versionId: version)
                                  .. http:delete:: /subjects/(string: subject)
  SCHEMA_READ                     .. http:get:: /schemas/ids/{int: id}
  SUBJECT_COMPATIBILITY_READ      .. http:get:: /config/(string: subject)
  SUBJECT_COMPATIBILITY_WRITE     .. http:put:: /config/(string: subject)
  GLOBAL_COMPATIBILITY_READ       .. http:get:: /config
  GLOBAL_COMPATIBILITY_WRITE      .. http:put:: /config
  GLOBAL_SUBJECTS_READ            .. http:get:: /subjects
================================ =============================================================================

For more information, refer to :ref:`Schema Registry API<schemaregistry_api>`

Incoming requests are mapped to a Schema Registry Operation as outlined in above table,
after which the request is authorized using the configured authorizer:

``confluent.schema.registry.authorizer.class``
  The implementation used to authorize Schema Registry requests. This needs to be an implementation
  of the interface SchemaRegistryAuthorizer.

  * Type: string
  * Default: ""
  * Importance: high

We provide two authorizers out of the box. You can configure either of them based on the need.

.. toctree::

    sracl_authorizer
    topicacl_authorizer