From 8cf26f1e8752f9e0011af1d5231b3ec8c5186412 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 24 Jun 2026 17:54:26 -0600 Subject: [PATCH 1/2] DOC-1732: Document managing Schema Registry ACLs in Console Add a Console UI procedure for Schema Registry subject and registry ACLs to the single-sourced schema-reg-authorization.adoc, and note the Subject and Schema Registry resource types in the Add ACL modal in acl.adoc. Both pages single-source to cloud-docs, so this covers Cloud and self-managed. Verified the Add ACL Resource Type labels (Subject, Schema Registry) against a live Console build. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../pages/schema-reg/schema-reg-authorization.adoc | 11 +++++++++++ modules/manage/pages/security/authorization/acl.adoc | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc index 7f937534f8..6dff64f9f8 100644 --- a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc +++ b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc @@ -50,6 +50,17 @@ Schema Registry Authorization introduces two new ACL resource types in addition * `registry`: Controls whether or not to grant ACL access to global, or top-level Schema Registry operations. Specify using the flag `registry-global`. * `subject`: Controls ACL access for specific Schema Registry subjects. Specify using the flag `registry-subject`. +=== Manage Schema Registry ACLs in {ui} + +After Schema Registry Authorization is enabled, you can create and manage Schema Registry ACLs from the *Security* page in {ui}, the same way you manage Kafka ACLs. Open a user under *Users* (or a role under *Roles*), then use the *ACLs* section on its detail page. + +To add a Schema Registry ACL, click *+ Add ACL* and set *Resource Type* to one of the Schema Registry resource types: + +* *Subject*: Restricts access to specific subjects (the `subject` resource type). Set *Resource Name* to the subject name (for example, `sensor-data-value`), and set *Pattern Type* to `Literal` to match a single subject or `Prefixed` to match all subjects that share a prefix. +* *Schema Registry*: Restricts global, top-level Schema Registry operations (the `registry` resource type). This resource applies cluster-wide, so you do not set a resource name. + +For example, to let a principal read schemas under the `sensor-data-value` subject, add an ACL with *Resource Type* `Subject`, *Pattern Type* `Literal`, *Resource Name* `sensor-data-value`, *Operation* `Read`, and *Permission* `Allow`. For the operations available on each resource type, see the Supported operations table below. + == Supported operations Redpanda Schema Registry ACLs support the following specific subset of Schema Registry endpoints and operations: diff --git a/modules/manage/pages/security/authorization/acl.adoc b/modules/manage/pages/security/authorization/acl.adoc index 6179475088..a989321896 100644 --- a/modules/manage/pages/security/authorization/acl.adoc +++ b/modules/manage/pages/security/authorization/acl.adoc @@ -49,7 +49,7 @@ You can create and manage ACLs in the following ways: + On a principal's detail page, the *ACLs* section shows one row per rule, with columns for type, resource, operation, permission, and host. It offers three actions: + -** Click *+ Add ACL* to define a single rule by specifying its resource type, pattern type, resource name, operation, permission, and host. +** Click *+ Add ACL* to define a single rule by specifying its resource type, pattern type, resource name, operation, permission, and host. The *Resource Type* list includes *Subject* and *Schema Registry* for Schema Registry ACLs, in addition to the Kafka resource types. See xref:manage:schema-reg/schema-reg-authorization.adoc[] for the Schema Registry operations they support. ** Click *Allow all operations* to grant full wildcard access across all resource types in a single step. Use this for testing only; it is too broad for production. ** Select one or more rows with the checkboxes and click *Delete selected* to remove ACLs in bulk. * *Command Line*: Use the `rpk` command-line tool for programmatic management. From cb8629a2a4ba286f1a66862f7cb4ba8ea97f636c Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 25 Jun 2026 12:14:07 -0600 Subject: [PATCH 2/2] DOC-1732: Apply review suggestions to SR Console ACLs section Address Feediver1 review feedback: - Link the Console method bullet to the new in-page section via an explicit [#manage-sr-acls-console] anchor instead of bouncing to acl.adoc - Drop the "After ... is enabled" conditional from the section intro so it reads correctly in the Cloud render (authorization is on by default) - Remove the redundant pointer to the Supported operations table (it sits directly below); keep the [#supported-operations] ID for existing inbound links Co-Authored-By: Claude Opus 4.8 (1M context) --- .../pages/schema-reg/schema-reg-authorization.adoc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc index 6dff64f9f8..76bcc8d64e 100644 --- a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc +++ b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc @@ -37,10 +37,10 @@ You can manage Schema Registry Authorization in the following ways: - **rpk**: Use the xref:reference:rpk/rpk-security/rpk-security-acl-create.adoc[`rpk security acl create`] command, just like you would for other Kafka ACLs. - **Schema Registry API**: Use the link:/api/doc/schema-registry/operation/operation-get_security_acls[Redpanda Schema Registry API] endpoints. ifndef::env-cloud[] -- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:manage:security/authorization/acl.adoc[]. +- **{ui}**: After enabling Schema Registry Authorization for your cluster, you can use {ui} to manage Schema Registry ACLs. See xref:#manage-sr-acls-console[]. endif::[] ifdef::env-cloud[] -- **{ui}**: Use {ui} to manage Schema Registry ACLs. See xref:security:authorization/acl.adoc[]. +- **{ui}**: Use {ui} to manage Schema Registry ACLs. See xref:#manage-sr-acls-console[]. endif::[] === Schema Registry ACL resource types @@ -50,17 +50,19 @@ Schema Registry Authorization introduces two new ACL resource types in addition * `registry`: Controls whether or not to grant ACL access to global, or top-level Schema Registry operations. Specify using the flag `registry-global`. * `subject`: Controls ACL access for specific Schema Registry subjects. Specify using the flag `registry-subject`. +[#manage-sr-acls-console] === Manage Schema Registry ACLs in {ui} -After Schema Registry Authorization is enabled, you can create and manage Schema Registry ACLs from the *Security* page in {ui}, the same way you manage Kafka ACLs. Open a user under *Users* (or a role under *Roles*), then use the *ACLs* section on its detail page. +You can create and manage Schema Registry ACLs from the *Security* page in {ui}, the same way you manage Kafka ACLs. Open a user under *Users* (or a role under *Roles*), then use the *ACLs* section on its detail page. To add a Schema Registry ACL, click *+ Add ACL* and set *Resource Type* to one of the Schema Registry resource types: * *Subject*: Restricts access to specific subjects (the `subject` resource type). Set *Resource Name* to the subject name (for example, `sensor-data-value`), and set *Pattern Type* to `Literal` to match a single subject or `Prefixed` to match all subjects that share a prefix. * *Schema Registry*: Restricts global, top-level Schema Registry operations (the `registry` resource type). This resource applies cluster-wide, so you do not set a resource name. -For example, to let a principal read schemas under the `sensor-data-value` subject, add an ACL with *Resource Type* `Subject`, *Pattern Type* `Literal`, *Resource Name* `sensor-data-value`, *Operation* `Read`, and *Permission* `Allow`. For the operations available on each resource type, see the Supported operations table below. +For example, to let a principal read schemas under the `sensor-data-value` subject, add an ACL with *Resource Type* `Subject`, *Pattern Type* `Literal`, *Resource Name* `sensor-data-value`, *Operation* `Read`, and *Permission* `Allow`. +[#supported-operations] == Supported operations Redpanda Schema Registry ACLs support the following specific subset of Schema Registry endpoints and operations: