Doc 1196: Document Feature - Schema Registry Authorization (#1224)

Co-authored-by: kbatuigas <[email protected]>
Co-authored-by: Ben Pope <[email protected]>
Co-authored-by: Michele Cyran <[email protected]>

Author: 4 people

modules/ROOT/nav.adoc

@@ -183,6 +183,7 @@
 **** xref:manage:schema-reg/schema-reg-api.adoc[API]
 **** xref:console:ui/schema-reg.adoc[Redpanda Console]
 **** xref:manage:kubernetes/k-schema-controller.adoc[Kubernetes]
+*** xref:manage:schema-reg/schema-reg-authorization.adoc[Schema Registry Authorization]
 *** xref:manage:schema-reg/schema-id-validation.adoc[]
 *** xref:console:ui/schema-reg.adoc[Manage in Redpanda Console]
 ** xref:manage:console/index.adoc[Redpanda Console]

modules/get-started/pages/licensing/overview.adoc

@@ -147,6 +147,10 @@ The following table lists the enterprise features for Redpanda and how Redpanda
 | Manages user roles and permissions within the cluster.
 | Roles and ACLs associated with roles cannot be created or modified. Role deletion is allowed.
 
+| xref:manage:schema-reg/schema-reg-authorization.adoc[Schema Registry Authorization]
+| Manages ACLs for Redpanda Schema Registry resources within the cluster.
+| You can no longer enable `schema_registry_enable_authorization`, nor can you create or modify schema ACLs.
+
 | xref:manage:schema-reg/schema-id-validation.adoc[Server-Side Schema ID Validation]
 | Validates schema IDs server-side to ensure schema compatibility. With schema ID validation, records associated with unregistered schemas are detected and dropped by a broker rather than a consumer.
 | Topics with schema validation settings cannot be created or modified.

modules/get-started/pages/release-notes/redpanda.adoc

@@ -26,6 +26,10 @@ Redpanda now supports the following Kafka APIs for managing SASL user credential
 
 See also: xref:manage:security/authentication.adoc#sasl[Configure Authentication] and xref:manage:security/authorization/acl.adoc[]
 
+== Schema Registry Authorization
+
+You can now use the Enterprise-licensed feature xref:manage:schema-reg-authorization.adoc[Schema Registry Authorization] to control access to Schema Registry subjects and operations using either `rpk` or the xref:api:ROOT:schema-registry-api.adoc#get-/security/acls[Redpanda Schema Registry API] endpoints. Schema Registry Authorization offers more granular control over who can do what with your Redpanda Schema Registry resources. ACLs used for Schema Registry access also support RBAC roles.
+
 == Retrieve serialized Protobuf schemas with Schema Registry API
 
 Starting in version 25.2, the Schema Registry API supports retrieving serialized schemas (Protobuf only) using the `format=serialized` query parameter for the following endpoints:
@@ -53,13 +57,16 @@ HTTP Proxy previously used automatically-generated ephemeral credentials to auth
 If you need to maintain the current HTTP Proxy functionality while transitioning to authenticated clients, configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration:
 
 - xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`]: Username for SASL/SCRAM authentication
-- xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`]: Password for SASL/SCRAM authentication  
+- xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`]: Password for SASL/SCRAM authentication
 - xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]: SASL mechanism (typically `SCRAM-SHA-256` or `SCRAM-SHA-512`)
 
+
 == Cluster properties
 
 The following cluster properties are new in this version:
 
+- xref:reference:properties/cluster-properties.adoc#schema_registry_enable_authorization[`schema_registry_enable_authorization`]
+
 === Iceberg integration
 
 * config_ref:iceberg_rest_catalog_base_location,true,properties/cluster-properties[`iceberg_rest_catalog_base_location`]: Specifies the base location for the Iceberg REST catalog. Required for AWS Glue Data Catalog.

modules/manage/pages/schema-reg/schema-reg-api.adoc

@@ -76,6 +76,49 @@ def pretty(text):
 base_uri = "http://localhost:8081"
 ----
 
+== Manage Schema Registry ACLs
+
+ifndef::env-cloud[]
+[NOTE]
+====
+include::shared:partial$enterprise-license.adoc[]
+====
+endif::[]
+
+You can use ACLs to control access to Schema Registry resources. You can define fine-grained access on a global level, for example, to allow a principal to read all schemas, or on a per-subject basis, for example, to read and modify only the schemas of a specific subject.
+
+See xref:manage:schema-reg/schema-reg-authorization.adoc[] for more details on Schema Registry Authorization.
+
+For example, to xref:api:ROOT:pandaproxy-schema-registry.adoc#post-/security/acls[create ACLs] that allow users with the `admin` role read-only access to all registered schemas, run:
+
+[,bash]
+----
+curl -X POST "http://localhost:8081/security/acls" \
+  -H "Content-Type: application/json" \
+  -d '[
+    {
+      "principal": "RedpandaRole:admin",
+      "resource": "*",
+      "resource_type": "REGISTRY",
+      "pattern_type": "LITERAL",
+      "host": "*",
+      "operation": "DESCRIBE_CONFIGS",
+      "permission": "ALLOW"
+    },
+    {
+      "principal": "RedpandaRole:admin",
+      "resource": "*",
+      "resource_type": "SUBJECT",
+      "pattern_type": "LITERAL",
+      "host": "*",
+      "operation": "READ",
+      "permission": "ALLOW"
+    }
+  ]'
+----
+
+This creates two ACLs: one for registry-level read operations (such as reading global configuration) and another for subject-level read operations (such as reading schemas).
+
 == Query supported schema formats
 
 To get the supported data serialization formats in the Schema Registry, make a GET request to the `/schemas/types` endpoint:
@@ -935,7 +978,7 @@ Curl::
 
 == Use READONLY mode for disaster recovery
 
-The `/mode` endpoint allows you to put Schema Registry in read-only or read-write mode. A read-only Schema Registry does not accept direct writes. An active production cluster can replicate schemas to a read-only Schema Registry to keep it in sync, for example using Redpanda's https://github.com/redpanda-data/schema-migration/[Schema Migration tool^]. Users in the disaster recovery (DR) site cannot update schemas directly, so the DR cluster has an exact replica of the schemas in production. In a failover due to a disaster or outage, you can set Schema Registry to read-write mode, taking over for the failed cluster and ensuring availability. 
+The `/mode` endpoint allows you to put Schema Registry in read-only or read-write mode. A read-only Schema Registry does not accept direct writes. An active production cluster can replicate schemas to a read-only Schema Registry to keep it in sync, for example using Redpanda's https://github.com/redpanda-data/schema-migration/[Schema Migration tool^]. Users in the disaster recovery (DR) site cannot update schemas directly, so the DR cluster has an exact replica of the schemas in production. In a failover due to a disaster or outage, you can set Schema Registry to read-write mode, taking over for the failed cluster and ensuring availability.
 
 If authentication is enabled on Schema Registry, only superusers can change global and subject-level modes.