Schema Registry ACL Authorizer

Schema Registry ACL Authorizer is a fine-grained authorizer which relies on ACLs defined for specific Schema Registry Operations against the subjects. The Schema Registry ACL Authorizer is the most definitive and complete way of defining ACL and authorization for Schema Registry.

Note

SCHEMA_READ is the only operation that cannot be defined and managed explicitly. It relies on SUBJECT_READ grant on at least one of the subjects that the schema ID is associated with.

Schema Registry ACL Authorizer can be enabled by adding the following config to Schema Registry config file:

confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer

You can manage the Schema Registry ACLs through the Schema Registry ACL CLI tool and the ACLs stored in a separate topic based on the configuration shown below.

confluent.schema.registry.acl.topic

The topic used to store ACLs for the Schema Registry operations. This is optional. If this configuration is used, the topic name is derived as kafkastore.topic and is suffixed with _acl.

  • Type: string
  • Default: “”
  • Importance: medium

The Schema Registry ACL CLI communicates directly to the Kafka brokers in the Schema Registry properties. For a secure broker with ACLs, you should use the CLI directly from the Schema Registry host and the same authenticated user as the Schema Registry service. This ensures that the tool has the appropriate ACLs and access to the broker.

Schema Registry ACL CLI

Schema Registry ACLs can be managed through Schema Registry ACL CLI tool. Run the Schema Registry ACL CLI tool to view the available options:

<path-to-confluent>/bin/sr-acl-cli

Usage:
Option                      Description
------                      -----------
-h, --help                  Print usage information.
--add                       Indicates you are trying to add ACLs.
--remove                    Indicates you are trying to remove ACLs.
--list                      List all the current ACLs
--config <File>             REQUIRED: Schema Registry properties file
-o, --operation <String>    Operation that is being authorized. Valid operation
                              names are:
                            [SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE,
                              SUBJECT_COMPATIBILITY_READ,
                              SUBJECT_COMPATIBILITY_WRITE,
                              GLOBAL_COMPATIBILITY_READ,
                              GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]
-s, --subject <String>      Subject to which the ACL is being applied to. Only
                              applicable for SUBJECT operations. Use * to apply
                              to all subjects
-t, --topic <String>        Topic to which the ACL is being applied to. The
                              corresponding subjects would topic-key and topic-
                              value.Only applicable for SUBJECT operations. Use
                              * to apply to all subjects
-p, --principal <String>    Principal to which the ACL is being applied to. Use
                              * to apply to all principals

Adding ACLs

Below are various examples of adding to Schema Registry ACLs.

Important

These examples assume you are running these commands from the home directory of your Confluent Platform installation.

  1. Add write access to subject test-subject-value for user Bob
$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s test-subject-value -p Bob -o SUBJECT_WRITE
  1. Add write access for subjects test-subject-key and test-subject-value for user Bob
$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -t test-subject -p Bob -o SUBJECT_WRITE
  1. Add read & write access to subject test-subject-value for user Bob
$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s test-subject-value -p Bob -o SUBJECT_WRITE:SUBJECT_READ
  1. Allow user Alice to manage global compatibility
$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s test-subject-value -p Alice -o GLOBAL_COMPATIBILITY_READ:GLOBAL_COMPATIBILITY_WRITE
  1. Create an admin user schema-admin
$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s * -p schema-admin -o *

Removing ACLs

Remove ACL command is similar to that of add ACL, except that you ue the option --remove instead of --add.

  1. Remove write access to subject test-subject-value for user Bob
$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --remove -s test-subject-value -p Bob -o SUBJECT_WRITE

List ACLs

This command doesn’t take any options and simply lists all ACLs that have been defined so far.

$ ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --list