You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a GKE cluster where we have deployed a Strimzi-based Kafka cluster. Additionally, we installed Schema Registry using the Bitnami Helm chart on the same cluster where Strimzi Kafka is running.
Does it support ACLs to restrict access?
For example, allowing producers/consumers read access while providing read/write/update permissions to admins.
How can we enforce ACL-based access restrictions on the _schemas topic?
By default, Confluent Schema Registry reads/writes to the _schemas Kafka topic.
Currently, we have granted full access to this topic using the following Strimzi Kafka ACLs:
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: schema-registry-user # Name of the Kafka user, confluent-schema-registry
namespace: kafka # Namespace where the Kafka cluster is deployed
labels:
strimzi.io/cluster: my-kafka-poc-tf # Links this user to the Kafka cluster
spec:
authentication:
type: tls # Enforces TLS authentication (certificate-based access)
# type: scram-sha-512 # Enforces SCRAM-SHA-512 authentication (username/password-based access)
authorization:
type: simple # Enables ACL-based access control
acls:
# ✅ Grant Schema Registry full access to the "registry-schemas" topic
- resource:
type: topic
name: _schemas
patternType: literal
operation: All # Allows full access (Read, Write, Delete, Describe, etc.)
type: allow
# ✅ Allow Schema Registry to create and manage its consumer groups
- resource:
type: group
name: schema-registry
patternType: prefix
operation: All # Allows full control of consumer groups starting with "schema-registry"
type: allow
# ✅ Allow Schema Registry to read Kafka's consumer offsets
- resource:
type: topic
name: __consumer_offsets
patternType: literal
operation: Describe # Only allows reading offset metadata (not writing)
type: allow
Is there a way to restrict access to _schemas while still allowing Schema Registry to function properly?
Alternative Solutions:
If the open-source Confluent Schema Registry does not support fine-grained access control, what alternatives support this?
I am aware of Karapace Schema Registry but unsure whether it supports client-specific access control the way we mentioned on top in this chat.
The text was updated successfully, but these errors were encountered:
We have a GKE cluster where we have deployed a Strimzi-based Kafka cluster. Additionally, we installed Schema Registry using the Bitnami Helm chart on the same cluster where Strimzi Kafka is running.
Does it support ACLs to restrict access?
For example, allowing producers/consumers read access while providing read/write/update permissions to admins.
How can we enforce ACL-based access restrictions on the _schemas topic?
By default, Confluent Schema Registry reads/writes to the _schemas Kafka topic.
Currently, we have granted full access to this topic using the following Strimzi Kafka ACLs:
Is there a way to restrict access to _schemas while still allowing Schema Registry to function properly?
Alternative Solutions:
If the open-source Confluent Schema Registry does not support fine-grained access control, what alternatives support this?
I am aware of Karapace Schema Registry but unsure whether it supports client-specific access control the way we mentioned on top in this chat.
The text was updated successfully, but these errors were encountered: