Topic ACL Authorizer¶
Topic ACL authorizer relies on the ACLs defined to the topic associated
with the subject. Generally, subject names are of the form {topic-name}-key
and {topic-name}-value
when using Confluent Avro
Serializers. Hence, the Topic ACL Authorizer can only be used in conjunction with the Confluent
Avro Serializers which follows this norm.
Enable the Topic ACL authorizer by adding the following config to schema-registry.properties
, which is located at <path-to-confluent>/etc/schema-registry/schema-registry.properties
) on a local install.
confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.topicacl.SimpleTopicAclAuthorizer
Since the Topic ACL Authorizer relies on ACLs of the associated topic, you can only define ACLs for subject level operations. To perform global operations, users must be designated super users. Supers users for Topic ACL Authorizer can be managed using the below config:
confluent.topic.acl.super.users
Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don’t involve a subject like read or write compatibility. For example
admin1;admin2
would make both admin1 and admin2 as super users.- Type: string
- Default: “”
- Importance: medium
This ACL can be managed using the Kafka ACL CLI. The below table shows the mapping between Schema Registry operations and Apache Kafka® Topic operations
SCHEMA REGISTRY OPERATION | Required Kafka ACLs |
---|---|
SUBJECT_READ | TOPIC READ |
SUBJECT_WRITE | TOPIC WRITE |
SUBJECT_DELETE | TOPIC WRITE |
SCHEMA_READ | TOPIC READ on at least one of the topic associated with the schema id |
SUBJECT_COMPATIBILITY_READ | TOPIC READ |
SUBJECT_COMPATIBILITY_WRITE | TOPIC WRITE |
GLOBAL_COMPATIBILITY_READ | SUPER USER |
GLOBAL_COMPATIBILITY_WRITE | SUPER USER |
GLOBAL_READ | SUPER USER |