.. _confluentsecurityplugins_sracl_authorizer:

Schema Registry ACL Authorizer
===============================

|sr| ACL Authorizer is a fine-grained authorizer which relies on ACLs defined for
specific  :ref:`Schema Registry Operations<confluentsecurityplugins_sr_operations>` against
the subjects. The |sr| ACL Authorizer is the most definitive and complete way of
defining ACL and authorization for |sr|.

.. note:: SCHEMA_READ is the only operation that cannot be defined and managed explicitly. It relies on SUBJECT_READ grant
          on at least one of the subjects that the schema ID is associated with.

Enable ACL Authorizer
---------------------

Set the ``java.security.auth.login.config`` system property.    

.. include:: ../../../includes/sracl-env.rst

Add the following config to the |sr| config file:

.. codewithvars:: bash

 confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer

You can manage the |sr| ACLs through the |sr| ACL CLI tool and the ACLs stored in a separate
topic based on the configuration shown below.

.. include:: ../../includes/configuration.rst
   :start-line: 2
   :end-line: 10

The |sr| ACL CLI communicates directly to the Kafka brokers in the |sr| properties. For a secure broker
with ACLs, you should use the CLI directly from the |sr| host and the same authenticated user as the Schema
Registry service. This ensures that the tool has the appropriate ACLs and access to the broker.

|sr| ACL CLI
-----------------------

|sr| ACLs can be managed through |sr| ACL CLI tool. Run the |sr| ACL CLI tool to view
the available options:

.. code:: bash

   <path-to-confluent>/bin/sr-acl-cli

   Usage:
   Option                      Description
   ------                      -----------
   -h, --help                  Print usage information.
   --add                       Indicates you are trying to add ACLs.
   --remove                    Indicates you are trying to remove ACLs.
   --list                      List all the current ACLs
   --config <File>             REQUIRED: Schema Registry properties file
   -o, --operation <String>    Operation that is being authorized. Valid operation
                                 names are:
                               [SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE,
                                 SUBJECT_COMPATIBILITY_READ,
                                 SUBJECT_COMPATIBILITY_WRITE,
                                 GLOBAL_COMPATIBILITY_READ,
                                 GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]
   -s, --subject <String>      Subject to which the ACL is being applied to. Only
                                 applicable for SUBJECT operations. Use * to apply
                                 to all subjects
   -t, --topic <String>        Topic to which the ACL is being applied to. The
                                 corresponding subjects would topic-key and topic-
                                 value.Only applicable for SUBJECT operations. Use
                                 * to apply to all subjects
   -p, --principal <String>    Principal to which the ACL is being applied to. Use
                                 * to apply to all principals

Adding ACLs
++++++++++++

Below are various examples of adding to |sr| ACLs.

.. important:: These examples assume you are running these commands from the home directory of your |cp| installation.

1.  Add write access to subject ``test-subject-value`` for user ``Bob``

    .. codewithvars:: bash

         ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s test-subject-value -p Bob -o SUBJECT_WRITE

2.  Add write access for subjects ``test-subject-key`` and ``test-subject-value`` for user ``Bob``

    .. codewithvars:: bash

         ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -t test-subject -p Bob -o SUBJECT_WRITE

3.  Add read & write access to subject ``test-subject-value`` for user ``Bob``

    .. codewithvars:: bash

         ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s test-subject-value -p Bob -o SUBJECT_WRITE:SUBJECT_READ

4.  Allow user ``Alice`` to manage global compatibility

    .. codewithvars:: bash

         ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s test-subject-value -p Alice -o GLOBAL_COMPATIBILITY_READ:GLOBAL_COMPATIBILITY_WRITE

5.  Create an admin user ``schema-admin``

    .. codewithvars:: bash

         ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --add -s * -p schema-admin -o *

Removing ACLs
+++++++++++++

Remove ACL command is similar to that of add ACL, except that you ue the option ``--remove``
instead of ``--add``.

Remove write access to subject ``test-subject-value`` for user ``Bob``

.. codewithvars:: bash

    ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --remove -s test-subject-value -p Bob -o SUBJECT_WRITE

List ACLs
+++++++++

This command lists all ACLs that have been defined. 

.. codewithvars:: bash

     ./bin/sr-acl-cli --config ./etc/schema-registry/schema-registry.properties --list