Schema Registry Security Plugin
This is a commercial component of Confluent Platform.
With RBAC enabled, Schema Registry can authenticate incoming requests
and authorize them based on role bindings. This allows schema evolution management to be
restricted to administrative users, while providing users and applications with different
types of access to a subset of subjects for which they are authorized (such as, write
access to relevant subjects for producers, read access for consumers).
The Schema Registry plugin supports authorization for both role-based access control (RBAC) and
ACLs, and you can configure it to use either or both. If both are configured,
then requests are authorized by way of a logical OR
. In other words, a
request that is only authorized by RBAC or ACLs, but not
both, is still considered valid.
Tip
ACLs are separately available for Kafka and for Schema Registry. If you have ACLs enabled
for Apache Kafka® (to protect topics, consumer groups, and so on), then you
must configure Schema Registry with ACL permissions to read, write, create, and describe
the _schemas topic. However, until either ACLs or Role-Based Access Control is
also enabled for Schema Registry, any user can create, alter, and delete Schema Registry subjects.
Important
If the Schema Registry Security Plugin is installed and configured to use ACLs, it must connect to ZooKeeper and will use
kafkastore.connection.url to do so. The config kafkastore.connection.url
is deprecated for the purposes
of ZooKeeper leader election, but is still used for this security plugin. If you configure both kafkastore.connection.url
(ZooKeeper)
and kafkastore.bootstrap.servers (Kafka), kafkastore.connection.url
(ZooKeeper) is used for the security plugin and
kafkastore.bootstrap.servers
(Kafka) is used for leader election. See also, ZooKeeper
in the Schema Registry security overview, and Adding security to a running cluster, especially the ZooKeeper section, which describes how
to enable security between Kafka brokers and ZooKeeper.