Schema Registry Authentication and Authorization Auditable Event Methods on Confluent Cloud¶
Confluent Cloud audit logs contain records of auditable events for authentication and
authorization actions on Confluent Cloud Schema Registry, Stream Catalog, and Exporters for Schema
Linking. When an auditable event occurs, a message is sent to the audit log and
is stored as an audit log record
Included here are the authentication actions, or operations, on
Confluent Cloud Schema Registry,
Confluent Cloud Stream Catalog, and exporters for
Schema Linking on Confluent Cloud that generate auditable event messages for the
io.confluent.sg.server/authentication event.
Auditable event methods¶
- schema-registry.Authentication
- A request to authenticate to Schema Registry using an API key or token.
Examples of authentication auditable event messages¶
schema-registry.Authentication¶
The schema-registry.Authentication event method is triggered by a request
for authentication to Schema Registry using an API key or token.
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "schema-registry.Authentication",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "bc64d0fb-84b7-4467-a36b-3ad3cd8c188d"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-qjygy6"
}
]
},
"resource": {
"type": "SCHEMA_REGISTRY",
"resourceId": "lsrc-gx9kdv"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-y35x87"
}
},
"result": "SUCCESS",
"credentials": {
"idSecretCredentials": {
"credentialId": "7TBXED2PT5CAKIGK"
},
"mechanism": "HTTP_BASIC"
}
},
"requestMetadata": {
"requestId": [
"8406167c-8c05-11ed-8f14-5f38e5250914"
]
},
"resourceName": "crn://confluent.cloud/organization=bc64d0fb-84b7-4467-a36b-3ad3cd8c188d/environment=env-qjygy6/schema-registry=lsrc-gx9kdv"
},
"subject": "crn://confluent.cloud/organization=bc64d0fb-84b7-4467-a36b-3ad3cd8c188d/environment=env-qjygy6/schema-registry=lsrc-gx9kdv",
"specversion": "1.0",
"id": "7fced40b-f893-429e-aa08-be584268379a",
"source": "crn://confluent.cloud/",
"time": "2023-01-04T07:58:03.708Z",
"type": "io.confluent.sg.server/authentication"
}
Schema Registry authorization auditable event methods¶
Included here are the authorization actions, or operations, on Schema Registry
that generate auditable event messages for the io.confluent.sg.server/authorization
event type.
Auditable event methods¶
Each of the following auditable event methods is triggered by a request to the Schema Registry API. Each method listed includes the action triggering an auditable event message and the associated Schema Registry API request.
- schema-registry.RegisterSchema
- Triggered by a request to register a new schema under the specified subject. Essentially, create a new schema (POST /subjects/(string: subject)/versions).
- schema-registry.LookUpSchemaUnderSubject
- Triggered by a request to check if a schema has already been registered under the specified subject (POST /subjects/(string: subject))
- schema-registry.DeleteSchemaVersion
- Triggered by a request to delete a specific version of the schema registered under this subject (DELETE /subjects/(string: subject)/versions/(versionId: version))
- schema-registry.DeleteSubject
- Triggered by a request to delete the specified subject and its associated compatibility level if registered (DELETE /subjects/(string: subject))
- schema-registry.UpdateSubjectConfig
- Triggered by a request to update the subject compatibility level (PUT /config/(string: subject))
- schema-registry.DeleteSubjectConfig
- Triggered by a request to delete the specified subject-level compatibility level configuration and revert to the global default (DELETE /config/(string: subject))
- schema-registry.UpdateGlobalConfig
- Triggered by a request to update the global compatibility level (PUT /config)
- schema-registry.DeleteGlobalConfig
- Triggered by a request to delete the global compatibility level configuration and revert to the default (DELETE /config)
- schema-registry.UpdateSubjectMode
- Triggered by a request to update the mode for the specified subject (PUT /mode/(string: subject))
- schema-registry.DeleteSubjectMode
- Triggered by a request to delete the specified subject-level compatibility level configuration and revert to the global default (DELETE /mode/(string: subject))
- schema-registry.UpdateGlobalMode
- Triggered by a request to update global mode (PUT /mode)
Stream Catalog authorization auditable event methods¶
Included here are the authorization actions, or operations, on Confluent Cloud Stream Catalog
that generate auditable event messages for the io.confluent.sg.server/authorization
event type.
Auditable event methods¶
Each of the following auditable event methods is triggered by a request to the Stream Catalog API. Each method listed includes the action triggering an auditable event message and the associated Stream Catalog API request.
- schema-registry.PartialEntityUpdate
- Triggered by a request to partially update an entity.
PUT catalog/v1/entity - schema-registry.CreateTags
- Triggered by a request to create tags (POST catalog/v1/entity/tags)
- schema-registry.UpdateTags
- Triggered by a request to update tags (PUT catalog/v1/entity/tags)
- schema-registry.DeleteTag
- Triggered by a request to delete a tag on an entity (DELETE catalog/v1/entity/type/(string: typeName)/name/(string: qualifiedName)/tags/(string: tagName))
- schema-registry.CreateBusinessMetadata
- Triggered by a request to create business metadata (POST catalog/v1/entity/businessmetadata)
- schema-registry.UpdateBusinessMetadata
- Triggered by a request to update business metadata (PUT catalog/v1/entity/businessmetadata)
- schema-registry.DeleteBusinessMetadata
- Triggered by a request to delete a business metadata on an entity (DELETE catalog/v1/entity/type/(string: typeName)/name/(string: qualifiedName)/businessmetadata/(string: bmName))
- schema-registry.SearchCatalogUsingBasicQuery
- Triggered by a request to retrieve data for the specified full text query (GET catalog/v1/search/basic)
- schema-registry.SearchCatalogUsingAttributes
- Triggered by a request to retrieve data for the specified attribute search query (GET catalog/v1/search/attribute)
- schema-registry.CreateTagDefs
- Triggered by a request to create tag definitions (POST catalog/v1/types/tagdefs)
- schema-registry.UpdateTagDefs
- Triggered by a request to update tag definitions (PUT catalog/v1/types/tagdefs)
- schema-registry.DeleteTagDef
- Triggered by a request to delete tag definitions identified by their names (DELETE catalog/v1/types/tagdefs/(string: tagName))
- schema-registry.CreateBusinessMetadataDefs
- Triggered by a request to create business metadata definitions (POST catalog/v1/types/businessmetadatadefs)
- schema-registry.UpdateBusinessMetadataDefs
- Triggered by a request to update business metadata definitions (PUT catalog/v1/types/businessmetadatadefs)
- schema-registry.DeleteBusinessMetadataDef
- Triggered by a request to delete a business metadata definition identified by its name (DELETE catalog/v1/types/businessmetadatadefs/(string: bmName))
- schema-registry.UpdateSchemaTags
- Triggered by a request to bulk-update multiple tags (PUT catalog/v1/entity/tags)
Schema Linking Exporters authorization auditable event methods¶
Included here are the authorization actions, or operations, on Confluent Cloud Exporters
that generate auditable event messages for the io.confluent.sg.server/authorization
event type.
Auditable event methods¶
Each of the following auditable event methods is triggered by a request to the Exporters API. Each method listed includes the action triggering an auditable event message and the associated Exporters API request.
- schema-registry.CreateExporter
- Triggered by a request to retrieve a list of existing schema exporters (POST /exporters)
- schema-registry.UpdateExporter
- Triggered by a request to update schema exporter by name (PUT /exporters/(string: name))
- schema-registry.UpdateExporterConfig
- Triggered by a request to update schema exporter configuration by name (PUT /exporters/(string: name)/config)
- schema-registry.PauseExporter
- Triggered by a request to pause schema exporter by name (PUT /exporters/(string: name)/pause)
- schema-registry.ResetExporter
- Triggered by a request to reset schema exporter by name (PUT /exporters/(string: name)/reset)
- schema-registry.ResumeExporter
- Triggered by a request to resume schema exporter by name (PUT /exporters/(string: name)/resume)
- schema-registry.DeleteExporter
- Triggered by a request to delete schema exporter by name (DELETE /exporters/(string: name))
Data Encryption Key (DEK) authorization auditable event methods¶
Included here are the authorization actions, or operations, on Data Encryption Keys (DEK) and Key Encryption Keys (KEK)
that generate auditable event messages for the io.confluent.sg.server/authorization event type.
Auditable event methods¶
Each of the following auditable event methods is triggered by a request to the Confluent Cloud Schema Registry DEK API. Each method listed includes
the action triggering an auditable event message for the io.confluent.sg.server/authorization event type.
- schema-registry.RegisterKek
- Triggered by a request to register a key encryption key.
- schema-registry.UpdateKek
- Triggered by a request to update a key encryption key.
- schema-registry.DeregisterKek
- Triggered by a request to deregister a key encryption key.
- schema-registry.RegisterDek
- Triggered by a request to register a data encryption key.
- schema-registry.GetDek
- Triggered by a request to retrieve a data encryption key.
- schema-registry.DeregisterDek
- Triggered by a request to deregister a data encryption key.