Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Schema Registry Security Plugin

This is a commercial component of Confluent Platform.

With RBAC enabled, Schema Registry can authenticate incoming requests and authorize them based on role bindings. This allows schema evolution management to be restricted to administrative users, while providing users and applications with different types of access to a subset of subjects for which they are authorized (such as, write access to relevant subjects for producers, read access for consumers).

The Schema Registry plugin supports authorization for both role-based access control (RBAC) and ACLs, and you can configure it to use either or both. If both are configured, then requests are authorized by way of a logical OR. In other words, a request that is only authorized by RBAC or ACLs, but not both, is still considered valid.

Tip

ACLs are separately available for Kafka and for Schema Registry. If you have ACLs enabled for Apache Kafka® (to protect topics, consumer groups, and so on), then you must configure Schema Registry with ACL permissions to read, write, create, and describe the _schemas topic. However, until either ACLs or Role-Based Access Control is also enabled for Schema Registry, any user can create, alter, and delete Schema Registry subjects.

Important

If the Schema Registry Security Plugin is installed and configured to use ACLs, it must connect to ZooKeeper and will use kafkastore.connection.url to do so. The config kafkastore.connection.url is deprecated for the purposes of ZooKeeper leader election, but is still used for this security plugin. If you configure both kafkastore.connection.url (ZooKeeper) and kafkastore.bootstrap.servers (Kafka), kafkastore.connection.url (ZooKeeper) is used for the security plugin and kafkastore.bootstrap.servers (Kafka) is used for leader election. See also, ZooKeeper in the Schema Registry security overview, and Adding security to a running cluster, especially the ZooKeeper section, which describes how to enable security between Kafka brokers and ZooKeeper.

• Install and Configure
  • Install
    • ZIP and TAR Archives
    • Ubuntu and Debian
    • RHEL and CentOS
  • Activate the Plugins
    • resource.extension.class
  • Authentication Mechanisms
  • Configuration
    • confluent.license
    • confluent.schema.registry.authorizer.class
    • confluent.schema.registry.acl.topic
    • confluent.topic.acl.super.users
    • confluent.schema.registry.auth.mechanism
    • confluent.schema.registry.auth.ssl.principal.mapping.rules
  • Suggested Reading
• Schema Registry Authorization
  • Supported Operations
  • Configure the Authorizer
    • confluent.schema.registry.authorizer.class
      • Role-Based Access Control
        • Overview
          • Schema Management before RBAC
          • Schema Management with RBAC
          • How it Works
          • Role Mappings to Operations for Subject Based Authorization
          • Example ClusterAdmin Use Case
          • Example User Experience
        • Quick Start
          • Before You Begin
          • Steps at a glance
          • Prerequisites
          • Install Confluent Platform and the Confluent CLI
          • Configure Schema Registry to communicate with RBAC services
          • Get the Kafka cluster ID for the MDS server you plan to use
          • Grant roles for the Schema Registry service principal
          • Start Schema Registry and test it
          • Log on to Confluent CLI and grant access to Schema Registry users
        • Suggested Reading
      • Schema Registry ACL Authorizer
        • Enable ACL Authorizer
          • confluent.schema.registry.acl.topic
        • Schema Registry ACL CLI
          • Adding ACLs
          • Removing ACLs
          • Listing ACLs
        • Required ACLs
      • Topic ACL Authorizer