Schema Registry Authentication and Authorization Auditable Event Methods on Confluent Cloud
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on Confluent Cloud Schema Registry, Stream Catalog, and exporters for Schema Linking. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record. For management and operations events for Schema Registry, see Schema Registry Management and Operations Auditable Event Methods on Confluent Cloud.
The following authentication actions, or operations, on Confluent Cloud Schema Registry, Confluent Cloud Stream Catalog, and exporters for Schema Linking on Confluent Cloud generate auditable event messages for the io.confluent.sg.server/authentication event.
Schema Registry authentication
Method name | Action triggering an auditable event message |
|---|---|
A request to authenticate to Schema Registry using an API key or token. |
schema-registry.Authentication
The schema-registry.Authentication event is generated by a request for authentication to Schema Registry using an API key or token.
To view an example event message, expand the following dropdown:
Success
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "schema-registry.Authentication",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "bc64d0fb-84b7-4467-a36b-3ad3cd8c188d"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-qjygy6"
}
]
},
"resource": {
"type": "SCHEMA_REGISTRY",
"resourceId": "lsrc-gx9kdv"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-y35x87"
}
},
"result": "SUCCESS",
"credentials": {
"idSecretCredentials": {
"credentialId": "7TBXED2PT5CAKIGK"
},
"mechanism": "HTTP_BASIC"
}
},
"requestMetadata": {
"requestId": [
"8406167c-8c05-11ed-8f14-5f38e5250914"
]
},
"resourceName": "crn://confluent.cloud/organization=bc64d0fb-84b7-4467-a36b-3ad3cd8c188d/environment=env-qjygy6/schema-registry=lsrc-gx9kdv"
},
"subject": "crn://confluent.cloud/organization=bc64d0fb-84b7-4467-a36b-3ad3cd8c188d/environment=env-qjygy6/schema-registry=lsrc-gx9kdv",
"specversion": "1.0",
"id": "7fced40b-f893-429e-aa08-be584268379a",
"source": "crn://confluent.cloud/",
"time": "2023-01-04T07:58:03.708Z",
"type": "io.confluent.sg.server/authentication"
}
The following sections include the auditable event methods for Confluent Cloud Schema Registry, Confluent Cloud Stream Catalog, and Schema Linking on Confluent Cloud that generate auditable event messages for the io.confluent.sg.server/authorization event.
Schema Registry authorization
The following authorization actions, or operations, on Schema Registry generate auditable event messages for the io.confluent.sg.server/authorization event type.
Each of the following auditable event methods is generated by a request to the Schema Registry API. Each method listed includes the action triggering an auditable event message and the associated Schema Registry API request.
Method name | Action triggering an auditable event message |
|---|---|
| A request to register a new schema under the specified subject. |
| A request to check if a schema has already been registered under the specified subject. |
| A request to delete a specific version of the schema registered under this subject. |
| A request to delete the specified subject and its associated compatibility level if registered. |
| A request to update the subject compatibility level. |
| A request to delete the specified subject-level compatibility level configuration and revert to the global default. |
| A request to update the global compatibility level. |
| A request to delete the global compatibility level configuration and revert to the default. |
| A request to update the mode for the specified subject. |
| A request to delete the specified subject-level compatibility level configuration and revert to the global default. |
| A request to update global mode. |
Stream Catalog authorization
The following authorization actions, or operations, on Confluent Cloud Stream Catalog generate auditable event messages for the io.confluent.sg.server/authorization event type.
Each of the following auditable event methods is generated by a request to the Stream Catalog API. Each method listed includes the action triggering an auditable event message and the associated Stream Catalog API request.
Method name | Action triggering an auditable event message |
|---|---|
| A request to partially update an entity. |
| A request to create tags. |
| A request to update tags. |
| A request to delete a tag on an entity. |
| A request to create business metadata. |
| A request to update business metadata. |
| A request to delete a business metadata on an entity. |
| A request to retrieve data for the specified full text query. |
| A request to retrieve data for the specified attribute search query. |
| A request to create tag definitions. |
| A request to update tag definitions. |
| A request to delete tag definitions identified by their names. |
| A request to create business metadata definitions. |
| A request to update business metadata definitions. |
| A request to delete a business metadata definition identified by its name. |
| A request to bulk-update multiple tags. |
Schema Linking exporters authorization
The following authorization actions, or operations, on Confluent Cloud exporters generate auditable event messages for the io.confluent.sg.server/authorization event type.
Each of the following auditable event methods is generated by a request to the exporters API. Each method listed includes the action triggering an auditable event message and the associated exporters API request.
Method name | Action triggering an auditable event message |
|---|---|
| A request to create a schema exporter. |
| A request to update schema exporter by name. |
| A request to update schema exporter configuration by name. |
| A request to pause schema exporter by name. |
| A request to reset schema exporter by name. |
| A request to resume schema exporter by name. |
| A request to delete schema exporter by name. |
Data encryption key authorization
The following authorization actions, or operations, on data encryption keys (DEK) and key encryption keys (KEK) generate auditable event messages for the io.confluent.sg.server/authorization event type.
Each of the following auditable event methods is generated by a request to the Confluent Cloud Schema Registry DEK API. Each method listed includes the action triggering an auditable event message for the io.confluent.sg.server/authorization event type.
Method name | Action triggering an auditable event message |
|---|---|
| A request to register a key encryption key. |
| A request to update a key encryption key. |
| A request to deregister a key encryption key. |
| A request to register a data encryption key. |
| A request to retrieve a data encryption key. |
| A request to deregister a data encryption key. |
