Schema Registry Authentication and Authorization Auditable Event Methods on Confluent Cloud

Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on Confluent Cloud Schema Registry, Stream Catalog, and Exporters for Schema Linking. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record Included here are the authentication actions, or operations, on Confluent Cloud Schema Registry, Confluent Cloud Stream Catalog, and exporters for Schema Linking on Confluent Cloud that generate auditable event messages for the io.confluent.sg.server/authentication event.

Auditable event methods

schema-registry.Authentication
A request to authenticate to Schema Registry using an API key or token.

Examples of authentication auditable event messages

schema-registry.Authentication

The schema-registry.Authentication event method is triggered by a request for authentication to Schema Registry using an API key or token.

SUCCESS
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "schema-registry.Authentication",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "bc64d0fb-84b7-4467-a36b-3ad3cd8c188d"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-qjygy6"
            }
          ]
        },
        "resource": {
          "type": "SCHEMA_REGISTRY",
          "resourceId": "lsrc-gx9kdv"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-y35x87"
        }
      },
      "result": "SUCCESS",
      "credentials": {
        "idSecretCredentials": {
          "credentialId": "7TBXED2PT5CAKIGK"
        },
        "mechanism": "HTTP_BASIC"
      }
    },
    "requestMetadata": {
      "requestId": [
        "8406167c-8c05-11ed-8f14-5f38e5250914"
      ]
    },
    "resourceName": "crn://confluent.cloud/organization=bc64d0fb-84b7-4467-a36b-3ad3cd8c188d/environment=env-qjygy6/schema-registry=lsrc-gx9kdv"
  },
  "subject": "crn://confluent.cloud/organization=bc64d0fb-84b7-4467-a36b-3ad3cd8c188d/environment=env-qjygy6/schema-registry=lsrc-gx9kdv",
  "specversion": "1.0",
  "id": "7fced40b-f893-429e-aa08-be584268379a",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-04T07:58:03.708Z",
  "type": "io.confluent.sg.server/authentication"
}

The sections below include the auditable event methods for Confluent Cloud Schema Registry, Confluent Cloud Stream Catalog, and Schema Linking on Confluent Cloud that generate auditable event messages for the io.confluent.sg.server/authorization event.

Schema Registry authorization auditable event methods

Included here are the authorization actions, or operations, on Schema Registry that generate auditable event messages for the io.confluent.sg.server/authorization event type.

Auditable event methods

Each of the following auditable event methods is triggered by a request to the Schema Registry API. Each method listed includes the action triggering an auditable event message and the associated Schema Registry API request.

schema-registry.RegisterSchema
Triggered by a request to register a new schema under the specified subject. Essentially, create a new schema (POST /subjects/(string: subject)/versions).
schema-registry.LookUpSchemaUnderSubject
Triggered by a request to check if a schema has already been registered under the specified subject (POST /subjects/(string: subject))
schema-registry.DeleteSchemaVersion
Triggered by a request to delete a specific version of the schema registered under this subject (DELETE /subjects/(string: subject)/versions/(versionId: version))
schema-registry.DeleteSubject
Triggered by a request to delete the specified subject and its associated compatibility level if registered (DELETE /subjects/(string: subject))
schema-registry.UpdateSubjectConfig
Triggered by a request to update the subject compatibility level (PUT /config/(string: subject))
schema-registry.DeleteSubjectConfig
Triggered by a request to delete the specified subject-level compatibility level configuration and revert to the global default (DELETE /config/(string: subject))
schema-registry.UpdateGlobalConfig
Triggered by a request to update the global compatibility level (PUT /config)
schema-registry.DeleteGlobalConfig
Triggered by a request to delete the global compatibility level configuration and revert to the default (DELETE /config)
schema-registry.UpdateSubjectMode
Triggered by a request to update the mode for the specified subject (PUT /mode/(string: subject))
schema-registry.DeleteSubjectMode
Triggered by a request to delete the specified subject-level compatibility level configuration and revert to the global default (DELETE /mode/(string: subject))
schema-registry.UpdateGlobalMode
Triggered by a request to update global mode (PUT /mode)

Stream Catalog authorization auditable event methods

Included here are the authorization actions, or operations, on Confluent Cloud Stream Catalog that generate auditable event messages for the io.confluent.sg.server/authorization event type.

Auditable event methods

Each of the following auditable event methods is triggered by a request to the Stream Catalog API. Each method listed includes the action triggering an auditable event message and the associated Stream Catalog API request.

schema-registry.PartialEntityUpdate
Triggered by a request to partially update an entity. PUT catalog/v1/entity
schema-registry.CreateTags
Triggered by a request to create tags (POST catalog/v1/entity/tags)
schema-registry.UpdateTags
Triggered by a request to update tags (PUT catalog/v1/entity/tags)
schema-registry.DeleteTag
Triggered by a request to delete a tag on an entity (DELETE catalog/v1/entity/type/(string: typeName)/name/(string: qualifiedName)/tags/(string: tagName))
schema-registry.CreateBusinessMetadata
Triggered by a request to create business metadata (POST catalog/v1/entity/businessmetadata)
schema-registry.UpdateBusinessMetadata
Triggered by a request to update business metadata (PUT catalog/v1/entity/businessmetadata)
schema-registry.DeleteBusinessMetadata
Triggered by a request to delete a business metadata on an entity (DELETE catalog/v1/entity/type/(string: typeName)/name/(string: qualifiedName)/businessmetadata/(string: bmName))
schema-registry.SearchCatalogUsingBasicQuery
Triggered by a request to retrieve data for the specified full text query (GET catalog/v1/search/basic)
schema-registry.SearchCatalogUsingAttributes
Triggered by a request to retrieve data for the specified attribute search query (GET catalog/v1/search/attribute)
schema-registry.CreateTagDefs
Triggered by a request to create tag definitions (POST catalog/v1/types/tagdefs)
schema-registry.UpdateTagDefs
Triggered by a request to update tag definitions (PUT catalog/v1/types/tagdefs)
schema-registry.DeleteTagDef
Triggered by a request to delete tag definitions identified by their names (DELETE catalog/v1/types/tagdefs/(string: tagName))
schema-registry.CreateBusinessMetadataDefs
Triggered by a request to create business metadata definitions (POST catalog/v1/types/businessmetadatadefs)
schema-registry.UpdateBusinessMetadataDefs
Triggered by a request to update business metadata definitions (PUT catalog/v1/types/businessmetadatadefs)
schema-registry.DeleteBusinessMetadataDef
Triggered by a request to delete a business metadata definition identified by its name (DELETE catalog/v1/types/businessmetadatadefs/(string: bmName))
schema-registry.UpdateSchemaTags
Triggered by a request to bulk-update multiple tags (PUT catalog/v1/entity/tags)

Schema Linking Exporters authorization auditable event methods

Included here are the authorization actions, or operations, on Confluent Cloud Exporters that generate auditable event messages for the io.confluent.sg.server/authorization event type.

Auditable event methods

Each of the following auditable event methods is triggered by a request to the Exporters API. Each method listed includes the action triggering an auditable event message and the associated Exporters API request.

schema-registry.CreateExporter
Triggered by a request to retrieve a list of existing schema exporters (POST /exporters)
schema-registry.UpdateExporter
Triggered by a request to update schema exporter by name (PUT /exporters/(string: name))
schema-registry.UpdateExporterConfig
Triggered by a request to update schema exporter configuration by name (PUT /exporters/(string: name)/config)
schema-registry.PauseExporter
Triggered by a request to pause schema exporter by name (PUT /exporters/(string: name)/pause)
schema-registry.ResetExporter
Triggered by a request to reset schema exporter by name (PUT /exporters/(string: name)/reset)
schema-registry.ResumeExporter
Triggered by a request to resume schema exporter by name (PUT /exporters/(string: name)/resume)
schema-registry.DeleteExporter
Triggered by a request to delete schema exporter by name (DELETE /exporters/(string: name))

Data Encryption Key (DEK) authorization auditable event methods

Included here are the authorization actions, or operations, on Data Encryption Keys (DEK) and Key Encryption Keys (KEK) that generate auditable event messages for the io.confluent.sg.server/authorization event type.

Auditable event methods

Each of the following auditable event methods is triggered by a request to the Confluent Cloud Schema Registry DEK API. Each method listed includes the action triggering an auditable event message for the io.confluent.sg.server/authorization event type.

schema-registry.RegisterKek
Triggered by a request to register a key encryption key.
schema-registry.UpdateKek
Triggered by a request to update a key encryption key.
schema-registry.DeregisterKek
Triggered by a request to deregister a key encryption key.
schema-registry.RegisterDek
Triggered by a request to register a data encryption key.
schema-registry.GetDek
Triggered by a request to retrieve a data encryption key.
schema-registry.DeregisterDek
Triggered by a request to deregister a data encryption key.