Topic ACL Authorizer

Topic ACL authorizer relies on the ACLs defined to the topic associated with the subject. Generally, subject names are of the form {topic-name}-key and {topic-name}-value when using Confluent Avro Serializers. Hence, the Topic ACL Authorizer can only be used in conjunction with the Confluent Avro Serializers which follows this norm.

Enable the Topic ACL authorizer by adding the following config to schema-registry.properties, which is located at <path-to-confluent>/etc/schema-registry/schema-registry.properties) on a local install.

confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.topicacl.SimpleTopicAclAuthorizer

Since the Topic ACL Authorizer relies on ACLs of the associated topic, you can only define ACLs for subject level operations. To perform global operations, users must be designated super users. Supers users for Topic ACL Authorizer can be managed using the below config:

confluent.topic.acl.super.users

Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don’t involve a subject like read or write compatibility. For example admin1;admin2 would make both admin1 and admin2 as super users.

  • Type: string
  • Default: “”
  • Importance: medium

This ACL can be managed using the Kafka ACL CLI. The below table shows the mapping between Schema Registry operations and Apache Kafka® Topic operations

SCHEMA REGISTRY OPERATION Required |ak| ACL
SUBJECT_READ TOPIC READ
SUBJECT_WRITE TOPIC WRITE
SUBJECT_DELETE TOPIC WRITE
SCHEMA_READ TOPIC READ on at least one of the topic associated with the schema id
SUBJECT_COMPATIBILITY_READ TOPIC READ
SUBJECT_COMPATIBILITY_WRITE TOPIC WRITE
GLOBAL_COMPATIBILITY_READ SUPER USER
GLOBAL_COMPATIBILITY_WRITE SUPER USER
GLOBAL_READ SUPER USER