Operation and Resource Support for Schema Registry in Confluent Platform

The Schema Registry security plugin provides authorization for operations on schemas for subjects, which correspond to Kafka topics.

The supported operations and corresponding Schema Registry URIs are listed here. These apply to both role-based access control (RBAC) and ACL authorization.

Tip

You can use both RBAC and ACLs together or independently. Both methods of access control have their strengths and use cases. To learn more, see RBAC and ACLs in the RBAC overview.

Supported Operations

SCHEMA REGISTRY OPERATION	RESOURCE
SUBJECT_READ	GET /subjects/(string: subject)/versions POST /subjects/(string: subject) GET /subjects/(string: subject)/versions/(versionId: version)
SUBJECT_WRITE	POST /subjects/(string: subject)/versions POST /compatibility/subjects/(string: subject)/versions/(versionId: version)
SUBJECT_DELETE	DELETE /subjects/(string: subject)/versions/(versionId: version) DELETE /subjects/(string: subject)
SCHEMA_READ	GET /schemas/ids/{int: id}
SUBJECT_COMPATIBILITY_READ	GET /config/(string: subject) GET /mode/(string: subject)
SUBJECT_COMPATIBILITY_WRITE	PUT /config/(string: subject) DELETE /config/(string: subject) PUT /mode/(string: subject) DELETE /mode/(string: subject)
GLOBAL_COMPATIBILITY_READ	GET /config and .. http:get:: /mode
GLOBAL_COMPATIBILITY_WRITE	PUT /config and .. http:put:: /mode
GLOBAL_READ	GET /subjects

For more information on these operations, see the Schema Registry API.

Example ACL Setups

Any “one size fits all” recommendation for Schema Registry ACL configurations will not make sense, but here are a few prosaic examples that may provide a starting point as you plan your deployment.

• One permissive setup might be to provide all READ-ACLs to all clients, including ANONYMOUS. If you adhere to the need-to-know principle more closely, you may want to limit READ operations.
• An autonomous team would need all the SUBJECT ACLs: READ, WRITE, DELETE, COMPATIBILTY_WRITE and COMPATIBILTY_READ. The exact configuration depends on the autonomy of the team and the desired level of control over the Schema Registry. A CD/CI system would get the same ACLs for all relevant subjects.
• An admin team may additionally set up the GLOBAL_ ACLs.

To learn more about defining ACLs, see Schema Registry ACL Authorizer for Confluent Platform.

Configure the Authorizer

Incoming requests are mapped to a Schema Registry Operation as outlined in above table, after which the request is authorized using the configured authorizer.

confluent.schema.registry.authorizer.class

The implementation used to authorize Schema Registry requests. This needs to be an implementation of the SchemaRegistryAuthorizer interface.

• Type: string
• Default: “”
• Importance: high

These Schema Registry authorizers are provided natively.

• Role-Based Access Control
• Schema Registry ACL Authorizer for Confluent Platform
• Schema Registry Topic ACL Authorizer for Confluent Platform

Suggested Reading

• Secure Schema Registry for Confluent Platform
• Schema Registry API Reference
• Schema Registry API Usage Examples for Confluent Platform