Update schema registry ACL details

[vuldin]

Description

Added two new sections to explain what ACLs operations relate to the schema registry (and when to use them).

"Understanding Schema Registry operations" - Explains what each operation does in plain language:

• read - Reading schemas and content
• write - Registering new schemas
• delete - Deleting schemas
• describe - Listing and discovering resources
• describe_configs - Reading configuration
• alter_configs - Modifying configuration

"Common use cases" - Provides practical examples for:

• Schema Registry migration - Shows the exact ACL needed for migration with all 5 operations (read, write, describe, alter_configs, describe_configs)
• Read-only access for consumers - consumer permissions
• Producer access - producer permissions
• Schema administrator access - Full management permissions

Also added a new example showing migration permissions (rpk security acl create --allow-principal migrator-user --operation read,write,describe,alter_configs,describe_configs --registry-global).

Page previews

• https://deploy-preview-1528--redpanda-docs-preview.netlify.app/current/manage/schema-reg/schema-reg-authorization/#understanding-schema-registry-operations
• https://deploy-preview-1528--redpanda-docs-preview.netlify.app/current/reference/rpk/rpk-security/rpk-security-acl-create/#examples

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	c3632e7
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6945ae9580bf090008c674a5
😎 Deploy Preview	https://deploy-preview-1528--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds documentation for Schema Registry ACL operations and configuration examples across two reference files. The changes introduce detailed guidance on six Schema Registry operations (read, write, delete, describe, describe_configs, alter_configs) with practical ACL configuration examples for common use cases, including schema migration, read-only consumer access, producer access, and schema administrator access. A new usage example for schema migration ACL permissions is also added to the rpk security ACL create reference documentation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

• Review focuses on documentation accuracy and completeness of ACL examples
• Verify that the example commands and use case scenarios are technically correct
• Ensure consistency with existing documentation conventions and terminology

Possibly related PRs

• DOC-1550 Unresolved Schema Registry AuthZ issues #1332: Modifies the same Schema Registry authorization documentation (schema-reg-authorization.adoc) with overlapping edits to registry-global ACL examples and schema management ACL commands.

Suggested reviewers

• sago2k8
• andresaristizabal
• r-vasquez
• micheleRP

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating schema registry ACL documentation with operational details and common use cases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description includes a clear summary of changes, marked checkbox for Content gap, and provides page preview links for validation.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between be83200 and c3632e7.

📒 Files selected for processing (2)

• modules/manage/pages/schema-reg/schema-reg-authorization.adoc (1 hunks)
• modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: micheleRP
Repo: redpanda-data/docs PR: 1334
File: modules/manage/partials/rbac-dp.adoc:93-98
Timestamp: 2025-08-25T21:00:26.626Z
Learning: In cloud documentation (env-cloud), Security is at the top level navigation, so ACL references should use `security:authorization/rbac/acl.adoc`. In self-managed documentation, Security is nested under Manage, so ACL references use `manage:security/authorization/acl.adoc`. The different xref paths in conditional blocks reflect these different navigation structures.

📚 Learning: 2025-08-25T21:00:26.626Z

Learnt from: micheleRP
Repo: redpanda-data/docs PR: 1334
File: modules/manage/partials/rbac-dp.adoc:93-98
Timestamp: 2025-08-25T21:00:26.626Z
Learning: In cloud documentation (env-cloud), Security is at the top level navigation, so ACL references should use `security:authorization/rbac/acl.adoc`. In self-managed documentation, Security is nested under Manage, so ACL references use `manage:security/authorization/acl.adoc`. The different xref paths in conditional blocks reflect these different navigation structures.

Applied to files:

• modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc
• modules/manage/pages/schema-reg/schema-reg-authorization.adoc

📚 Learning: 2025-12-12T16:18:28.126Z

Learnt from: andrewstucki
Repo: redpanda-data/docs PR: 1514
File: modules/troubleshoot/partials/errors-and-solutions.adoc:618-632
Timestamp: 2025-12-12T16:18:28.126Z
Learning: In Redpanda ShadowLink CRD usage, do not copy CA certificates into pods via kubectl cp because they won't persist across pod restarts. Store CA certs in Kubernetes Secrets and reference them in the ShadowLink's staticConfiguration block (or inline the cert data in that block) to ensure persistence and proper secret management.

Applied to files:

• modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc
• modules/manage/pages/schema-reg/schema-reg-authorization.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - redpanda-docs-preview
• GitHub Check: Header rules - redpanda-docs-preview
• GitHub Check: Pages changed - redpanda-docs-preview

🔇 Additional comments (5)

modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc (1)

47-51: New schema migration example is clear and well-placed.

The addition appropriately documents a common use case for Schema Registry ACL permissions with the correct combination of operations for migration scenarios.

modules/manage/pages/schema-reg/schema-reg-authorization.adoc (4)

199-209: Excellent operation descriptions with clear, actionable explanations.

The new "Understanding Schema Registry operations" section clearly explains each of the six supported operations and provides concrete use-case examples for each. These descriptions align accurately with the endpoint-operation mapping table.

---

214-238: Add conditional handling to the schema-reg-api xref.

Line 237 references xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[], which is a self-managed path. Since this page is shared between both cloud and self-managed documentation, this xref needs to be wrapped in conditional blocks (using ifdef::env-cloud[] / ifndef::env-cloud[]) to point to the correct API documentation for each environment.

🔎 Suggested fix for conditional xref

 [NOTE]
 ====
 The target Schema Registry must be in IMPORT mode to preserve schema IDs during migration. Only superusers or principals with `alter_configs` permission on the `registry` resource can change the global mode. See xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[Set global mode].
 ====

Replace with:

 [NOTE]
 ====
 The target Schema Registry must be in IMPORT mode to preserve schema IDs during migration. Only superusers or principals with `alter_configs` permission on the `registry` resource can change the global mode. 
+ifndef::env-cloud[]
 See xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[Set global mode].
+endif::[]
+ifdef::env-cloud[]
+See xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[Set global mode].
+endif::[]
 ====

Based on learnings from previous PRs, the conditional xref paths should be: manage:schema-reg/schema-reg-api.adoc for self-managed and the cloud equivalent for cloud documentation.

---

278-296: Schema administrator example is clear and complete.

The use of --operation all for full schema management is appropriate and well-explained, with clear descriptions of the capabilities granted by the full permission set.

---

31-35: xref paths correctly handle env-cloud conditions.

The conditional blocks properly route to manage:security/authorization/acl.adoc for self-managed and security:/authorization/acl.adoc for cloud documentation.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add --resource-pattern-type prefixed flag for wildcard subject patterns.

Line 250 uses --registry-subject "orders-*" with a wildcard pattern, but does not specify --resource-pattern-type prefixed. Without this flag, the literal default pattern type will only match a subject literally named "orders-*", not subjects starting with "orders-". This same issue applies to the producer example at line 269.

🔎 Suggested fix

-# For consuming with schema validation
-rpk security acl create \
-  --allow-principal consumer-app \
-  --operation read \
-  --registry-subject "orders-*"
+# For consuming with schema validation
+rpk security acl create \
+  --allow-principal consumer-app \
+  --operation read \
+  --resource-pattern-type prefixed \
+  --registry-subject "orders-*"

🤖 Prompt for AI Agents

In modules/manage/pages/schema-reg/schema-reg-authorization.adoc around lines
240 to 257 (and also update the producer example at line ~269), the rpk ACL
commands use wildcard registry subjects like "orders-*" but omit the
--resource-pattern-type prefixed flag so the pattern will be interpreted
literally; update the examples to include --resource-pattern-type prefixed on
any ACL commands that use wildcard subject patterns (e.g., add
--resource-pattern-type prefixed to the read-only consumer command at line ~250
and to the producer example at line ~269) so the ACLs match subjects with the
given prefix.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add --resource-pattern-type prefixed flag for wildcard subject patterns.

Line 269 uses --registry-subject "orders-*" with a wildcard pattern, but does not specify --resource-pattern-type prefixed. The literal default pattern type will only match a subject literally named "orders-*", not subjects starting with "orders-".

🔎 Suggested fix

-# For producing with new schemas
-rpk security acl create \
-  --allow-principal producer-app \
-  --operation read,write,describe \
-  --registry-subject "orders-*"
+# For producing with new schemas
+rpk security acl create \
+  --allow-principal producer-app \
+  --operation read,write,describe \
+  --resource-pattern-type prefixed \
+  --registry-subject "orders-*"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	==== Producer access
	Applications that produce messages with schemas need:
	[,bash]
	----
	# For producing with new schemas
	rpk security acl create \
	--allow-principal producer-app \
	--operation read,write,describe \
	--registry-subject "orders-*"
	----
	This allows:
	* Checking if schemas already exist (`describe`)
	* Reading existing schema versions (`read`)
	* Registering new schema versions (`write`)
	==== Producer access
	Applications that produce messages with schemas need:
	[,bash]
	----
	# For producing with new schemas
	rpk security acl create \
	--allow-principal producer-app \
	--operation read,write,describe \
	--resource-pattern-type prefixed \
	--registry-subject "orders-*"
	----
	This allows:
	* Checking if schemas already exist (`describe`)
	* Reading existing schema versions (`read`)
	* Registering new schema versions (`write`)

🤖 Prompt for AI Agents

In modules/manage/pages/schema-reg/schema-reg-authorization.adoc around lines
259 to 276, the rpk ACL example uses --registry-subject "orders-*" but omits the
--resource-pattern-type prefixed flag, so the wildcard will be treated
literally; update the example command to include --resource-pattern-type
prefixed so the ACL applies to subjects starting with "orders-" (i.e., add the
flag to the rpk security acl create invocation).

[Feediver1]

Suggested change

	The following operations are used to control access to Schema Registry resources:
	You can use the following operations to control access to Schema Registry resources:

[Feediver1]

Suggested change

	=== Understanding Schema Registry operations
	=== Operation definitions

[Feediver1]

Suggested change

	* **`read`**: Allows reading schemas and their content. Required for consuming messages that use Schema Registry, fetching specific schema versions, and reading schema content by ID.
	* **`read`**: Allows user to read schemas and their content. Required for consuming messages that use Schema Registry, fetching specific schema versions, and reading schema content by ID.

[Feediver1]

Suggested change

	* **`write`**: Allows registering new schemas and schema versions. Required for producing messages with new schemas and updating existing subjects with new schema versions.
	* **`write`**: Allows user to register new schemas and schema versions. Required for producing messages with new schemas and updating existing subjects with new schema versions.

[Feediver1]

Suggested change

	* **`delete`**: Allows deleting schema versions and subjects. Required for cleanup operations and removing deprecated schemas.
	* **`delete`**: Allows user to delete schema versions and subjects. Required for cleanup operations and removing deprecated schemas.

[Feediver1]

Suggested change

	* **`describe`**: Allows listing and describing Schema Registry resources. Required for discovering available subjects, listing schema versions, and viewing metadata.
	* **`describe`**: Allows user to list and describe Schema Registry resources. Required for discovering available subjects, listing schema versions, and viewing metadata.

[Feediver1]

Suggested change

	* **`describe_configs`**: Allows reading configuration settings. Required for viewing compatibility settings, reading modes (IMPORT/READWRITE), and checking global or per-subject configurations.
	* **`describe_configs`**: Allows user to read configuration settings. Required for viewing compatibility settings, reading modes (IMPORT/READWRITE), and checking global or per-subject configurations.

[Feediver1]

Suggested change

	* **`alter_configs`**: Allows modifying configuration settings. Required for changing compatibility levels, setting IMPORT mode for migrations, and updating global or per-subject configurations.
	* **`alter_configs`**: Allows user to modify configuration settings. Required for changing compatibility levels, setting IMPORT mode for migrations, and updating global or per-subject configurations.

[Feediver1]

Suggested change

	Applications that only consume messages with schemas need:
	Applications that only consume messages with schemas require:

[Feediver1]

Suggested change

	* Does NOT allow listing all subjects or modifying schemas
	* Does _not_ allow listing all subjects or modifying schemas

[Feediver1]

Suggested change

	Applications that produce messages with schemas need:
	Applications that produce messages with schemas require:

[Feediver1]

Suggested change

	Schema administrators who manage compatibility and cleanup need:
	Schema administrators who manage compatibility and cleanup require:

[Feediver1]

Suggested change

	This grants all operations including:
	This grants all operations, including:

[Feediver1]

Suggested change

	```bash
	rpk security acl create --allow-principal migrator-user --operation read,write,describe,alter_configs,describe_configs --registry-global
	```
	[,bash]
	----
	rpk security acl create --allow-principal migrator-user --operation read,write,describe,alter_configs,describe_configs --registry-global
	----