redpanda-data · paulohtb6 · Jul 18, 2025 · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025
@@ -657,10 +657,17 @@ endif::[]
 
 Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the Kafka username and password, Redpanda uses ephemeral credentials internal to the cluster. Ephemeral credentials are regular SCRAM credentials, but they're only stored in memory and are lost when a broker restarts. When the Schema Registry or HTTP Proxy start up, they broadcast an ephemeral credential to other brokers over the internal RPC. If authentication fails to a particular broker, new ephemeral credentials are sent to that broker, and the service reconnects.
 
+[IMPORTANT]
+====
+*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will fail to connect to the Kafka API.
+
+This change does not affect Schema Registry, which continues to use ephemeral credentials.
+====
+
 Schema Registry and HTTP Proxy support only the SASL/SCRAM mechanism.
 
 ifndef::env-kubernetes[]
-You can override the ephemeral credentials and manually configure Schema Registry and HTTP Proxy to connect to Redpanda with SASL. This approach is particularly useful when you want to apply specific access control through ACLs for the Schema Registry and HTTP Proxy users.
+Starting in Redpanda 25.2, you must manually configure HTTP Proxy to connect to Redpanda with SASL when HTTP Proxy API listeners use `authentication_method: none`. For Schema Registry, you can override the ephemeral credentials and manually configure Schema Registry to connect to Redpanda with SASL. This approach is particularly useful when you want to apply specific access control through ACLs for the Schema Registry and HTTP Proxy users.
 
 . xref:manage:security/authorization/index.adoc[Create appropriate ACLs] for the Schema Registry and HTTP Proxy users to define and restrict their access rights within the Redpanda cluster.
 
@@ -698,7 +705,22 @@ schema_registry_client:
   sasl_mechanism: SCRAM-SHA-256
 ----
 +
-For HTTP Proxy:
+For HTTP Proxy (required when `authentication_method: none` starting in Redpanda 25.2):
++
+[,yaml]
+----
+pandaproxy_client:
+  brokers:
+    - address: 127.0.0.1
+      port: 9092
+  scram_username: <username>
+  scram_password: <password>
+  sasl_mechanism: SCRAM-SHA-256
+----
++
+When HTTP Proxy API listeners use `authentication_method: none`, the HTTP Proxy client uses these credentials to authenticate with the Kafka API. The user specified in `scram_username` must have appropriate permissions to access the required Kafka resources.
++
+If TLS is enabled for the Kafka API, additional configuration is required:
 +
 [,yaml]
 ----
@@ -1757,6 +1779,11 @@ For all available endpoints, see xref:api:ROOT:pandaproxy-schema-registry.adoc[]
 
 To disable authentication for a listener, set `authentication_method` to `none`:
 
+[IMPORTANT]
+====
+*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties].
+====
+
 ifdef::env-kubernetes[]
 [tabs]
 ======

@@ -778,7 +778,11 @@ Delay (in milliseconds) for initial retry backoff.
 
 === sasl_mechanism
 
-The SASL mechanism to use when connecting.
+The SASL mechanism to use when the HTTP Proxy client connects to the Kafka API. These credentials are used when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API.
+
+Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy listeners use `authentication_method: none`, you must configure these SASL properties for HTTP Proxy to authenticate with the Kafka API.
+
+For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL].
 
 *Visibility:* `user`
 
@@ -790,7 +794,9 @@ The SASL mechanism to use when connecting.
 
 === scram_password
 
-Password to use for SCRAM authentication mechanisms.
+Password to use for SCRAM authentication mechanisms when the HTTP Proxy client connects to the Kafka API. This property is required when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API.
+
+Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure this property if your HTTP Proxy listeners use `authentication_method: none`.
 
 *Visibility:* `user`
 
@@ -802,7 +808,9 @@ Password to use for SCRAM authentication mechanisms.
 
 === scram_username
 
-Username to use for SCRAM authentication mechanisms.
+Username to use for SCRAM authentication mechanisms when the HTTP Proxy client connects to the Kafka API. This property is required when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API.
+
+Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure this property if your HTTP Proxy listeners use `authentication_method: none`.
 
 *Visibility:* `user`
 

@@ -1,5 +1,7 @@
 === Review incompatible changes
 
+* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will fail to connect to the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL].
+
 * Redpanda Console v3.0.0 introduces breaking changes. If you are using Redpanda Console v2.x, xref:migrate:console-v3.adoc[review the migration guide] to address breaking changes before upgrading Redpanda Console.
 
 * Starting in version 24.2, when managing configuration properties using the AlterConfigs API directly, Redpanda resets all unspecified values to the default values. This aligns more closely with the behavior in Apache Kafka. There is no change if you're managing your configuration with tools like `rpk`, Redpanda Console, Kubernetes, Helm, or Terraform.