Authorization in Schema Registry

Get started with Schema Registry authorization. Learn how to enable authorization and configure users, and how to configure which JWT (JSON Web Token) claim the server uses for principal mapping.

Schema Registry includes a built-in basic authorizer that enforces access using OAuth and JWTs. The authorizer defines two user types: admin (full privileges) and read-only (read-only privileges). By default Schema Registry uses the sub JWT claim as the principal. The server reads the configured principal claim from each token and compares its exact string value to entries in authorization.simple.adminUsers and authorization.simple.readOnlyUsers, so the claim value must exactly match a configured entry.

If the principal is in adminUsers, all access is granted.
Else if the principal is in readOnlyUsers, read access is granted.
Else access is denied.

Requirements

OAuth authentication must be enabled. See Authentication in Schema Registry.

Configuring authorization and users

Configure authorization and authorized users using authorization.simple.* properties. Set authorization.simple.enabled to true and provide lists for authorization.simple.adminUsers and authorization.simple.readOnlyUsers.

#...
authorization:
  simple:
    enabled: true
    adminUsers:
      - 1234567890
    readOnlyUsers:
      - 0987654321

authorization.simple.enabled – Enables or disables authorization.
authorization.simple.adminUsers – A list of admin usernames. Admin users can perform any operation in Schema Registry.
authorization.simple.readOnlyUsers – A list of read-only usernames. Read-only users can only perform read operations in Schema Registry.

Configuring principal mapping

Configure the principal claim used for authorization with authentication.oauth.jwt.principalClaimName

By default Schema Registry uses the sub JWT claim as the principal. The default sub claim often contains an opaque identifier (numeric id or UUID). If your principals are provided in a different claim, set authentication.oauth.jwt.principalClaimName to that claim (for example, email or preferred_username) and ensure those claim values appear exactly in authorization.simple.adminUsers or authorization.simple.readOnlyUsers.

#...
authentication:
  oauth:
    jwt:
      principalClaimName: email

authorization:
  simple:
    enabled: true
    adminUsers:
      - alice@example.com
    readOnlyUsers:
      - bob@example.com

authentication.oauth.jwt.principalClaimName – JWT claim name used to identify the principal. Default: sub.
authorization.simple.adminUsers – A list of admin usernames. Admin users can perform any operation in Schema Registry.
authorization.simple.readOnlyUsers – A list of read-only usernames. Read-only users can only perform read operations in Schema Registry.