Schema Registry ACL Authorizer

Schema Registry ACL Authorizer is a fine-grained authorizer which relies on ACLs defined for specific Schema Registry Operations against the subjects. Hence, Schema Registry ACL Authorizer is the most definitive and complete way of defining ACL and authorization for Schema Registry.

Note

The only operation that can not be defined and manged explicitly is SCHEMA_READ which relies on SUBJECT_READ grant on at least one of the subjects that the schema id is associated with.

Schema Registry ACL Authorizer can be enabled by adding the below config to Schema Registry config file

confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer

The Schema Registry ACLs can be managed through the Confluent CLI and the ACLs stored in a separate topic based on below configuration:

confluent.schema.registry.acl.topic

The topic used to store ACLs for the Schema Registry operations. This is optional and when not supplied the topic name is derived as kafkastore.topic suffixed with _acl

  • Type: string
  • Default: “”
  • Importance: medium

Schema Registry ACL CLI

Schema Registry ACLs can be managed through Confluent CLI. You can get started with the CLI by executing the below:

$ confluent acl schema-registry

The various options available in the CLI are as follows:

Option Description
-h, –help Print usage information.
–add Indicates you are trying to add ACLs.
–remove Indicates you are trying to remove ACLs.
–list List all the current ACLs
-o, –operation <String> Operation that is being authorized. Valid operation names are: [SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE, GLOBAL_COMPATIBILITY_READ, GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]
-s, –subject <String> Subject to which the ACL is being applied to. Only applicable for SUBJECT operations. Use * to apply to all subjects.
-t, –topic <String> Topic to which the ACL is being applied to. The corresponding subjects would topic-key and topic-value. Only applicable for SUBJECT operations. Use * to apply to all subjects
-p, –principal <String> Principal to which the ACL is being applied to. Use * to apply to all principals

Adding ACLs

Below are various examples of adding to Schema Registry ACLs

  1. Add write access to subject test-subject-value for user Bob
$ confluent acl schema-registry --add -s test-subject-value -p Bob -o SUBJECT_WRITE
  1. Add write access for subjects test-subject-key and test-subject-value for user Bob
$ confluent acl schema-registry --add -t test-subject -p Bob -o SUBJECT_WRITE
  1. Add read & write access to subject test-subject-value for user Bob
$ confluent acl schema-registry --add -s test-subject-value -p Bob -o SUBJECT_WRITE:SUBJECT_READ
  1. Allow user Alice to manage global compatibility
$ confluent acl schema-registry --add -s test-subject-value -p Alice -o GLOBAL_COMPATIBILITY_READ:GLOBAL_COMPATIBILITY_WRITE
  1. Create an admin user schema-admin
$ confluent acl schema-registry --add -s * -p schema-admin -o *

Removing ACLs

Remove ACL command is similar to that of add ACL, except that you ue the option --remove instead of --add.

  1. Remove write access to subject test-subject-value for user Bob
$ confluent acl schema-registry --remove -s test-subject-value -p Bob -o SUBJECT_WRITE

List ACLs

This command doesn’t take any options and simply lists all ACLs that have been defined so far.

$ confluent acl schema-registry --list