.. _confluentsecurityplugins_topicacl_authorizer: |sr| Topic ACL Authorizer for |cp| ================================== Topic ACL authorizer relies on the ACLs defined to the topic associated with the subject. Generally, subject names are of the form ``{topic-name}-key`` and ``{topic-name}-value`` when using Confluent Avro Serializers. Hence, the Topic ACL Authorizer can only be used in conjunction with the Confluent Avro Serializers which follows this norm. .. important:: You cannot use Topic ACL Authorizer with a |cp| running in |kraft| mode. Instead use :ref:`confluentsecurityplugins_sracl_authorizer` or :ref:`schemaregistry_rbac`. Enable the Topic ACL authorizer by adding the following config to ``schema-registry.properties``, which is located at ``CONFLUENT_HOME/etc/schema-registry/schema-registry.properties``) on a local install. .. codewithvars:: bash confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.topicacl.SimpleTopicAclAuthorizer Since the Topic ACL Authorizer relies on ACLs of the associated topic, you can only define ACLs for subject level operations. To perform global operations, users must be designated super users. Supers users for Topic ACL Authorizer can be managed using the below config: ``confluent.topic.acl.super.users`` Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don't involve a subject like read or write compatibility. For example ``admin1;admin2`` would make both admin1 and admin2 as super users. * Type: string * Default: "" * Importance: medium This ACL can be managed using the :ref:`Kafka ACL CLI`. The below table shows the mapping between Schema Registry operations and |ak-tm| Topic operations ================================ ============================================================================= SCHEMA REGISTRY OPERATION Required |ak| ACLs ================================ ============================================================================= SUBJECT_READ TOPIC READ SUBJECT_WRITE TOPIC WRITE SUBJECT_DELETE TOPIC WRITE SCHEMA_READ TOPIC READ on at least one of the topic associated with the schema id SUBJECT_COMPATIBILITY_READ TOPIC READ SUBJECT_COMPATIBILITY_WRITE TOPIC WRITE GLOBAL_COMPATIBILITY_READ SUPER USER GLOBAL_COMPATIBILITY_WRITE SUPER USER GLOBAL_READ SUPER USER ================================ =============================================================================