Schema Registry Topic ACL Authorizer for Confluent Platform¶
Topic ACL authorizer relies on the ACLs defined to the topic associated
with the subject. Generally, subject names are of the form {topic-name}-key and {topic-name}-value when using Confluent Avro
Serializers. Hence, the Topic ACL Authorizer can only be used in conjunction with the Confluent
Avro Serializers which follows this norm.
Important
You cannot use Topic ACL Authorizer with a Confluent Platform running in KRaft mode. Instead use Schema Registry ACL Authorizer for Confluent Platform or Configure Role-Based Access Control for Schema Registry in Confluent Platform.
Enable the Topic ACL authorizer by adding the following config to schema-registry.properties, which is located at CONFLUENT_HOME/etc/schema-registry/schema-registry.properties) on a local install.
confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.topicacl.SimpleTopicAclAuthorizer
Since the Topic ACL Authorizer relies on ACLs of the associated topic, you can only define ACLs for subject level operations. To perform global operations, users must be designated super users. Supers users for Topic ACL Authorizer can be managed using the below config:
confluent.topic.acl.super.usersSemicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don’t involve a subject like read or write compatibility. For example
admin1;admin2would make both admin1 and admin2 as super users.- Type: string
- Default: “”
- Importance: medium
This ACL can be managed using the Kafka ACL CLI. The below table shows the mapping between Schema Registry operations and Apache Kafka® Topic operations
| SCHEMA REGISTRY OPERATION | Required Kafka ACLs |
|---|---|
| SUBJECT_READ | TOPIC READ |
| SUBJECT_WRITE | TOPIC WRITE |
| SUBJECT_DELETE | TOPIC WRITE |
| SCHEMA_READ | TOPIC READ on at least one of the topic associated with the schema id |
| SUBJECT_COMPATIBILITY_READ | TOPIC READ |
| SUBJECT_COMPATIBILITY_WRITE | TOPIC WRITE |
| GLOBAL_COMPATIBILITY_READ | SUPER USER |
| GLOBAL_COMPATIBILITY_WRITE | SUPER USER |
| GLOBAL_READ | SUPER USER |