Topic ACL Authorizer

Topic ACL authorizer relies on the ACLs defined to the topic associated with the subject. Generally, subject names are of the form {topic-name}-key and {topic-name}-value when using Confluent Avro Serializers. Hence, the Topic ACL Authorizer can only be used in conjunction with the Confluent Avro Serializers which follows this norm.

The Topic ACL authorizer can be enabled by adding the below config to Schema Registry config file

confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.topicacl.SimpleTopicAclAuthorizer

Since the Topic ACL Authorizer relies on ACLs of the associated topic, you can only define ACLs for subject level operations. To perform global operations, users must be designated super users. Supers users for Topic ACL Authorizer can be managed using the below config:

confluent.topic.acl.super.users

Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don’t involve a subject like read or write compatibility. For example admin1;admin2 would make both admin1 and admin2 as super users.

  • Type: string
  • Default: “”
  • Importance: medium

This ACL can be managed using the Kafka ACL CLI. The below table shows the mapping between Schema Registry operations and Kafka Topic operations

SCHEMA REGISTRY OPERATION Required Kafka ACL
SUBJECT_READ TOPIC READ
SUBJECT_WRITE TOPIC WRITE
SUBJECT_DELETE TOPIC WRITE
SCHEMA_READ TOPIC READ on at least one of the topic associated with the schema id
SUBJECT_COMPATIBILITY_READ TOPIC READ
SUBJECT_COMPATIBILITY_WRITE TOPIC WRITE
GLOBAL_COMPATIBILITY_READ SUPER USER
GLOBAL_COMPATIBILITY_WRITE SUPER USER
GLOBAL_SUBJECTS_READ SUPER USER