.. _confluentsecurityplugins_sracl_authorizer: Schema Registry ACL Authorizer ============================== Schema Registry ACL Authorizer is a fine-grained authorizer which relies on ACLs defined for specific :ref:`Schema Registry Operations` against the subjects. Hence, Schema Registry ACL Authorizer is the most definitive and complete way of defining ACL and authorization for Schema Registry. .. note:: The only operation that can not be defined and manged explicitly is SCHEMA_READ which relies on SUBJECT_READ grant on at least one of the subjects that the schema id is associated with. Schema Registry ACL Authorizer can be enabled by adding the below config to Schema Registry config file .. sourcecode:: bash confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer The Schema Registry ACLs can be managed through the Confluent CLI and the ACLs stored in a separate topic based on below configuration: ``confluent.schema.registry.acl.topic`` The topic used to store ACLs for the Schema Registry operations. This is optional and when not supplied the topic name is derived as ``kafkastore.topic`` suffixed with ``_acl`` * Type: string * Default: "" * Importance: medium Schema Registry ACL CLI ----------------------- Schema Registry ACLs can be managed through Confluent CLI. You can get started with the CLI by executing the below: .. sourcecode:: bash $ confluent acl schema-registry The various options available in the CLI are as follows: ========================= ======================================================================== **Option** **Description** ------------------------- ------------------------------------------------------------------------ -h, --help Print usage information. --add Indicates you are trying to add ACLs. --remove Indicates you are trying to remove ACLs. --list List all the current ACLs -o, --operation Operation that is being authorized. Valid operation names are: [SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE, GLOBAL_COMPATIBILITY_READ, GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ] -s, --subject Subject to which the ACL is being applied to. Only applicable for SUBJECT operations. Use * to apply to all subjects. -t, --topic Topic to which the ACL is being applied to. The corresponding subjects would topic-key and topic-value. Only applicable for SUBJECT operations. Use * to apply to all subjects -p, --principal Principal to which the ACL is being applied to. Use * to apply to all principals ========================= ======================================================================== Adding ACLs ++++++++++++ Below are various examples of adding to Schema Registry ACLs 1. Add write access to subject ``test-subject-value`` for user ``Bob`` .. sourcecode:: bash $ confluent acl schema-registry --add -s test-subject-value -p Bob -o SUBJECT_WRITE 2. Add write access for subjects ``test-subject-key`` and ``test-subject-value`` for user ``Bob`` .. sourcecode:: bash $ confluent acl schema-registry --add -t test-subject -p Bob -o SUBJECT_WRITE 3. Add read & write access to subject ``test-subject-value`` for user ``Bob`` .. sourcecode:: bash $ confluent acl schema-registry --add -s test-subject-value -p Bob -o SUBJECT_WRITE:SUBJECT_READ 4. Allow user ``Alice`` to manage global compatibility .. sourcecode:: bash $ confluent acl schema-registry --add -s test-subject-value -p Alice -o GLOBAL_COMPATIBILITY_READ:GLOBAL_COMPATIBILITY_WRITE 5. Create an admin user ``schema-admin`` .. sourcecode:: bash $ confluent acl schema-registry --add -s * -p schema-admin -o * Removing ACLs +++++++++++++ Remove ACL command is similar to that of add ACL, except that you ue the option ``--remove`` instead of ``--add``. 1. Remove write access to subject ``test-subject-value`` for user ``Bob`` .. sourcecode:: bash $ confluent acl schema-registry --remove -s test-subject-value -p Bob -o SUBJECT_WRITE List ACLs +++++++++ This command doesn't take any options and simply lists all ACLs that have been defined so far. .. sourcecode:: bash $ confluent acl schema-registry --list