Skip to content

DOC-1936: Note SR authorization is on by default for Redpanda Cloud #1694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
micheleRP wants to merge 1 commit into
base: main
Choose a base branch
from
+29 −17
Open

DOC-1936: Note SR authorization is on by default for Redpanda Cloud #1694

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 29 additions & 17 deletions modules/manage/pages/schema-reg/schema-reg-authorization.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@ include::shared:partial$enterprise-license.adoc[]
====
endif::[]

ifdef::env-cloud[]
[NOTE]
====
On BYOC and Dedicated clusters, Schema Registry Authorization is enabled by default. The xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`] cluster property is set to `true` automatically when the cluster is provisioned, and the predefined Admin, Writer, and Reader roles include Schema Registry permissions. See xref:security:authorization/rbac/rbac.adoc#predefined-roles[Predefined roles] for the operations granted by each role.

You do not need to enable Schema Registry Authorization manually. Use the rest of this page to learn how to define custom Schema Registry ACLs and roles for your users and applications.
====
endif::[]

== About Schema Registry Authorization

Schema Registry Authorization allows you to control which users and applications can perform specific operations within the Redpanda Schema Registry. This ensures that only authorized entities can read, write, modify, delete, or configure schemas and their settings.
Expand All @@ -28,10 +37,10 @@ You can manage Schema Registry Authorization in the following ways:
- **rpk**: Use the xref:reference:rpk/rpk-security/rpk-security-acl-create.adoc[`rpk security acl create`] command, just like you would for other Kafka ACLs.
- **Schema Registry API**: Use the link:/api/doc/schema-registry/operation/operation-get_security_acls[Redpanda Schema Registry API] endpoints.
ifndef::env-cloud[]
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[].
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[].
endif::[]
ifdef::env-cloud[]
- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:security:/authorization/acl.adoc[].
- **{ui}**: Use {ui} to manage Schema Registry ACLs. See xref:security:authorization/acl.adoc[].
endif::[]

=== Schema Registry ACL resource types
Expand Down Expand Up @@ -402,32 +411,34 @@ Redpanda recommends using the topic naming strategy where subjects follow the pa
Example: `--registry-subject "orders-" --resource-pattern-type prefixed` grants access to both `orders-key` and `orders-value` subjects.
====

== Enable Schema Registry Authorization
ifdef::env-cloud[]
== Manage Schema Registry ACLs

=== Prerequisites

Before you can enable Schema Registry Authorization, you must have:

ifndef::env-cloud[]
* A valid Redpanda Enterprise license.
endif::[]
Before you can create or manage Schema Registry ACLs, you must have:

ifdef::env-cloud[]
* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[rpk installation].
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Use empty brackets in xref to auto-pull the document title.

The xref link uses explicit text [rpk installation] but should use empty brackets to automatically pull the title from the target document.

📝 Suggested fix 
-* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[rpk installation].
+* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[].

Based on learnings: "AsciiDoc linking: prefer using xref links with empty brackets (e.g., xref:section/target.adoc[]) because the title is pulled from the referenced document automatically. Avoid hard-coding link text; use xref:...[] to let the target document's title render as the link text when publishing."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[rpk installation].
* `rpk` v25.2+ installed. For installation instructions, see xref:manage:rpk/rpk-install.adoc[].
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/manage/pages/schema-reg/schema-reg-authorization.adoc` at line 421,
Replace the hard-coded xref text in the link string
"xref:manage:rpk/rpk-install.adoc[rpk installation]" with empty brackets so the
target document title is pulled automatically — change the occurrence of
xref:manage:rpk/rpk-install.adoc[rpk installation] to
xref:manage:rpk/rpk-install.adoc[] in the schema-reg-authorization content.

* Cluster administrator permissions to modify Schema Registry ACLs.
For example, to delegate ACL management to the principal `schema_registry_admin`, run:
+
[,bash]
----
rpk security acl create --allow-principal schema_registry_admin --cluster --operation alter
----
endif::[]

ifndef::env-cloud[]
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
endif::[]
== Enable Schema Registry Authorization

ifndef::env-cloud[]
* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:properties/broker-properties.adoc#schema-registry[Schema Registry broker properties].
endif::[]
=== Prerequisites

ifndef::env-cloud[]
* If you have listeners configured for Schema Registry, ensure you xref:manage:security/authentication.adoc#basic-authentication[configure authentication] for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.
endif::[]
Before you can enable Schema Registry Authorization, you must have:

* A valid Redpanda Enterprise license.
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Use empty brackets in xref to auto-pull the document title.

The xref link uses explicit text [rpk installation] but should use empty brackets to automatically pull the title from the target document.

📝 Suggested fix 
-* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
+* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[].

Based on learnings: "AsciiDoc linking: prefer using xref links with empty brackets (e.g., xref:section/target.adoc[]) because the title is pulled from the referenced document automatically. Avoid hard-coding link text; use xref:...[] to let the target document's title render as the link text when publishing."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[rpk installation].
* `rpk` v25.2+ installed. For installation instructions, see xref:get-started:rpk-install.adoc[].
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/manage/pages/schema-reg/schema-reg-authorization.adoc` at line 439,
Replace the explicit link text in the xref call so the document title is pulled
automatically: change the xref token xref:get-started:rpk-install.adoc[rpk
installation] to use empty brackets (xref:get-started:rpk-install.adoc[]) in the
sentence that currently reads "* `rpk` v25.2+ installed. For installation
instructions, see xref:get-started:rpk-install.adoc[rpk installation]." so the
published link uses the target document's title instead of hard-coded text.

* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:properties/broker-properties.adoc#schema-registry[Schema Registry broker properties].
* If you have listeners configured for Schema Registry, ensure you xref:manage:security/authentication.adoc#basic-authentication[configure authentication] for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.
* Cluster administrator permissions to modify cluster configurations.
For example, to enable management of Schema Registry ACLs by the principal `schema_registry_admin`, run:
+
Expand All @@ -446,6 +457,7 @@ rpk cluster config set schema_registry_enable_authorization true
----

For details, see xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`].
endif::[]

== Create and manage Schema Registry ACLs

Expand Down
Loading