DOC-1936: Document SR authorization enabled by default for Cloud#581
Open
micheleRP wants to merge 1 commit into
Open
DOC-1936: Document SR authorization enabled by default for Cloud#581micheleRP wants to merge 1 commit into
micheleRP wants to merge 1 commit into
Conversation
Schema Registry Authorization is now enabled fleet-wide on BYOC and Dedicated clusters. The schema_registry_enable_authorization cluster property is set automatically at provisioning, and the predefined Admin, Writer, and Reader roles are seeded with Schema Registry permissions (subject/* and registry resources). Account impersonation also now supports Schema Registry as a separate subsystem from the Kafka API. - Add SR permissions table to predefined-roles partial - Update Account impersonation section to reflect per-subsystem toggles (Kafka API + Schema Registry) and the new default-role behavior - Add May 2026 What's New entries for SR auth-by-default and SR impersonation Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for rp-cloud ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
📝 WalkthroughWalkthroughThis pull request updates Redpanda Cloud documentation to reflect two related feature expansions in May 2026. Schema Registry Authorization is now enabled by default on newly provisioned BYOC and Dedicated clusters, automatically granting predefined Admin, Writer, and Reader roles permissions for Schema Registry ACL resource types ( Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@modules/security/pages/cloud-authentication.adoc`:
- Around line 138-140: The phrase "Admin and Writer users continue to have full
Kafka and Schema Registry access through the predefined roles" overstates Writer
permissions; update the copy so Admin is described as having full/admin access
while Writer is described as having predefined write permissions (e.g., topic
produce/write and subject write) but not full admin-equivalent rights. Locate
the sentence that begins "Admin and Writer users" and replace "full Kafka and
Schema Registry access" for Writer with wording like "predefined write
permissions for Kafka topics and appropriate Schema Registry subjects (not full
admin privileges)" and leave Admin described as having full access; ensure
subsequent lines referencing "Writer role" or "Reader users" remain consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 98e6a104-e3d7-4ac9-af8f-484d876b851e
📒 Files selected for processing (3)
modules/get-started/pages/whats-new-cloud.adocmodules/security/pages/cloud-authentication.adocmodules/security/partials/predefined-roles.adoc
Comment on lines
+138
to
+140
| * *Admin and Writer users* continue to have full Kafka and Schema Registry access through the predefined roles. | ||
| * *Reader users* keep read access to topics, consumer groups, and Schema Registry subjects through the predefined Reader role. | ||
| * *Custom roles or users without role bindings* will lose access until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page. |
Contributor
There was a problem hiding this comment.
Writer role access is overstated as “full” and can mislead authorization expectations.
Line 138 should not describe Writer as having full Kafka and Schema Registry access. Writer permissions are predefined but not admin-equivalent, so this wording is materially inaccurate.
✏️ Proposed wording fix
-* *Admin and Writer users* continue to have full Kafka and Schema Registry access through the predefined roles.
+* *Admin users* continue to have full Kafka and Schema Registry access through the predefined Admin role.
+* *Writer users* continue to have Writer-level Kafka and Schema Registry permissions through the predefined Writer role.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| * *Admin and Writer users* continue to have full Kafka and Schema Registry access through the predefined roles. | |
| * *Reader users* keep read access to topics, consumer groups, and Schema Registry subjects through the predefined Reader role. | |
| * *Custom roles or users without role bindings* will lose access until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page. | |
| * *Admin users* continue to have full Kafka and Schema Registry access through the predefined Admin role. | |
| * *Writer users* continue to have Writer-level Kafka and Schema Registry permissions through the predefined Writer role. | |
| * *Reader users* keep read access to topics, consumer groups, and Schema Registry subjects through the predefined Reader role. | |
| * *Custom roles or users without role bindings* will lose access until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@modules/security/pages/cloud-authentication.adoc` around lines 138 - 140, The
phrase "Admin and Writer users continue to have full Kafka and Schema Registry
access through the predefined roles" overstates Writer permissions; update the
copy so Admin is described as having full/admin access while Writer is described
as having predefined write permissions (e.g., topic produce/write and subject
write) but not full admin-equivalent rights. Locate the sentence that begins
"Admin and Writer users" and replace "full Kafka and Schema Registry access" for
Writer with wording like "predefined write permissions for Kafka topics and
appropriate Schema Registry subjects (not full admin privileges)" and leave
Admin described as having full access; ensure subsequent lines referencing
"Writer role" or "Reader users" remain consistent.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Schema Registry Authorization is now enabled fleet-wide on BYOC and Dedicated clusters via two LaunchDarkly flags (
enable-schema-registry-acls-2,enable-console-schema-registry-impersonation). For Cloud customers, this means:schema_registry_enable_authorizationis set totrueautomatically at cluster provisioning.subject/*andregistryACL resource types).This PR updates the docs accordingly:
modules/security/partials/predefined-roles.adoc— added a permissions matrix showing the SR operations granted to each predefined role.modules/security/pages/cloud-authentication.adoc— rewrote the Account impersonation section for per-subsystem toggles, removed the "contact Support" feature-flag callout, and softened the access-loss IMPORTANT note now that Reader/Writer roles include SR perms by default.modules/get-started/pages/whats-new-cloud.adoc— added two May 2026 entries.Closes DOC-1936.
Related PR
Companion docs PR for the single-sourced Schema Registry Authorization page: redpanda-data/docs#1694
Preview pages
Test plan
🤖 Generated with Claude Code