From 651b9d27c9ff724d0d3659b727e30dbfbc9bb76b Mon Sep 17 00:00:00 2001 From: Travis Bischel Date: Thu, 25 Jun 2026 12:41:07 -0600 Subject: [PATCH 1/2] docs: add DESCRIBE_CONFIGS to migrator source topic ACLs The Kafka ACL note for data migration listed only READ on source topics, but Redpanda Migrator also issues DescribeConfigs against the source to read each topic's configuration for replication. READ grants DESCRIBE but not DESCRIBE_CONFIGS, so a consumer-only ACL on the source fails topic creation with TOPIC_AUTHORIZATION_FAILED. Add DESCRIBE_CONFIGS (source and target) and an explanatory note. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/manage/pages/schema-reg/schema-reg-authorization.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc index 7f937534f8..f9d7bbbe55 100644 --- a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc +++ b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc @@ -269,10 +269,12 @@ This grants: ==== **Schema Registry ACLs are only for Schema Registry operations.** For complete data migration, you must also use Kafka ACLs: -* **Topics:** READ (source), WRITE/CREATE/DESCRIBE/ALTER (target) +* **Topics:** READ, DESCRIBE_CONFIGS (source); WRITE/CREATE/DESCRIBE/ALTER/DESCRIBE_CONFIGS (target) * **Consumer groups:** READ (source), CREATE/READ (target) * **Cluster:** DESCRIBE (both), CREATE (target) +`READ` on a topic implicitly grants `DESCRIBE`, but not `DESCRIBE_CONFIGS`. Redpanda Migrator reads each source topic's configuration (`DESCRIBE_CONFIGS`) to recreate it on the target, so a consumer-only ACL on the source is not sufficient: without `DESCRIBE_CONFIGS` on the source topics, topic creation fails with `TOPIC_AUTHORIZATION_FAILED`. + See xref:manage:security/authorization/acl.adoc[Configure Access Control Lists] for Kafka ACL configuration. ==== From f88878dd91ab6aa9002ae8d6d61ad84a2cad5c84 Mon Sep 17 00:00:00 2001 From: Joyce Fee <102751339+Feediver1@users.noreply.github.com> Date: Thu, 25 Jun 2026 14:02:23 -0500 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- .../manage/pages/schema-reg/schema-reg-authorization.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc index f9d7bbbe55..deb3b40ca2 100644 --- a/modules/manage/pages/schema-reg/schema-reg-authorization.adoc +++ b/modules/manage/pages/schema-reg/schema-reg-authorization.adoc @@ -269,9 +269,9 @@ This grants: ==== **Schema Registry ACLs are only for Schema Registry operations.** For complete data migration, you must also use Kafka ACLs: -* **Topics:** READ, DESCRIBE_CONFIGS (source); WRITE/CREATE/DESCRIBE/ALTER/DESCRIBE_CONFIGS (target) -* **Consumer groups:** READ (source), CREATE/READ (target) -* **Cluster:** DESCRIBE (both), CREATE (target) +* **Topics:** `READ`, `DESCRIBE_CONFIGS` (source); `WRITE`/`CREATE`/`DESCRIBE`/`ALTER`/`DESCRIBE_CONFIGS` (target) +* **Consumer groups:** `READ` (source), `CREATE`/`READ` (target) +* **Cluster:** `DESCRIBE` (both), `CREATE` (target) `READ` on a topic implicitly grants `DESCRIBE`, but not `DESCRIBE_CONFIGS`. Redpanda Migrator reads each source topic's configuration (`DESCRIBE_CONFIGS`) to recreate it on the target, so a consumer-only ACL on the source is not sufficient: without `DESCRIBE_CONFIGS` on the source topics, topic creation fails with `TOPIC_AUTHORIZATION_FAILED`.