# Schema Registry Authorization

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Schema Registry Authorization
latest-redpanda-tag: v25.2.1
latest-console-tag: v3.7.3
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "true"
page-is-past-eol: "false"
page-eol-date: July 31, 2026
latest-connect-version: 4.93.0
docname: schema-reg/schema-reg-authorization
page-component-name: streaming
page-version: "25.2"
page-component-version: "25.2"
page-component-title: Streaming
page-relative-src-path: schema-reg/schema-reg-authorization.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/25.2/modules/manage/pages/schema-reg/schema-reg-authorization.adoc
description: Learn how to set up and manage Schema Registry Authorization using ACL definitions that control user access to specific Schema Registry operations.
page-git-created-date: "2025-07-30"
page-git-modified-date: "2025-08-29"
support-status: nearing end-of-life
---

<!-- Source: https://docs.redpanda.com/streaming/25.2/manage/schema-reg/schema-reg-authorization.md -->

Schema Registry Authorization enables fine-grained restriction of operations to Schema Registry resources by user or role through access control lists (ACLs).

> 📝 **NOTE**
>
> This feature requires an [enterprise license](https://docs.redpanda.com/streaming/25.2/get-started/licensing/). To get a trial license key or extend your trial period, [generate a new trial license key](https://redpanda.com/try-enterprise). To purchase a license, contact [Redpanda Sales](https://redpanda.com/upgrade).
>
> If Redpanda has enterprise features enabled and it cannot find a valid license, [restrictions](https://docs.redpanda.com/streaming/25.2/get-started/licensing/#self-managed) apply.

## [](#about-schema-registry-authorization)About Schema Registry Authorization

Schema Registry Authorization allows you to control which users and applications can perform specific operations within the Redpanda Schema Registry. This ensures that only authorized entities can read, write, modify, delete, or configure schemas and their settings.

Before v25.2, Schema Registry supported authentication, but once a user was authenticated, they had full access to all Schema Registry operations, including reading, modifying, and deleting schemas and configuration both per-subject and globally.

Starting in v25.2, Schema Registry Authorization provides fine-grained access control through ACLs. You can now restrict access to specific subjects and operations.

### [](#how-to-manage-schema-registry-authorization)How to manage Schema Registry Authorization

You can manage Schema Registry Authorization in the following ways:

-   **rpk**: Use the [`rpk security acl create`](https://docs.redpanda.com/streaming/25.2/reference/rpk/rpk-security/rpk-security-acl-create/) command, just like you would for other Kafka ACLs.

-   **Schema Registry API**: Use the [Redpanda Schema Registry API](https://docs.redpanda.com/api/doc/schema-registry/operation/operation-get_security_acls) endpoints.

-   **Redpanda Console**: After enabling Schema Registry Authorization for your cluster, you can use Redpanda Console to manage Schema Registry ACLs. See [Configure Access Control Lists](https://docs.redpanda.com/streaming/25.2/manage/security/authorization/acl/).


### [](#schema-registry-acl-resource-types)Schema Registry ACL resource types

Schema Registry Authorization introduces two new ACL resource types in addition to the standard Kafka ACL resources (`topic`, `group`, `cluster`, and `transactional_id`):

-   `registry`: Controls whether or not to grant ACL access to global, or top-level Schema Registry operations. Specify using the flag `registry-global`.

-   `subject`: Controls ACL access for specific Schema Registry subjects. Specify using the flag `registry-subject`.


## [](#supported-operations)Supported operations

Redpanda Schema Registry ACLs support the following specific subset of Schema Registry endpoints and operations:

> 📝 **NOTE**
>
> Not all Kafka operations are supported when using Redpanda Schema Registry ACLs.

| Endpoint | HTTP method | Operation | Resource |
| --- | --- | --- | --- |
| /config | GET | describe_configs | registry |
| /config | PUT | alter_configs | registry |
| /config/{subject} | GET | describe_configs | subject |
| /config/{subject} | PUT | alter_configs | subject |
| /config/{subject} | DELETE | alter_configs | subject |
| /mode | GET | describe_configs | registry |
| /mode | PUT | alter_configs | registry |
| /mode/{subject} | GET | describe_configs | subject |
| /mode/{subject} | PUT | alter_configs | subject |
| /mode/{subject} | DELETE | alter_configs | subject |
| /schemas/types | GET | none/open | - |
| /schemas/ids/{id} | GET | read | subject |
| /schemas/ids/{versions} | GET | describe | registry |
| /schemas/ids/{subjects} | GET | describe | registry |
| /subjects | GET | describe | subject |
| /subjects/{subject} | POST | write | subject |
| /subjects/{subject} | DELETE | delete | subject |
| /subjects/{subject}/versions | GET | describe | subject |
| /subjects/{subject}/versions | POST | write | subject |
| /subjects/{subject}/versions/{version} | GET | read | subject |
| /subjects/{subject}/versions/{version} | DELETE | delete | subject |
| /subjects/{subject}/versions/schema | GET | read | subject |
| /subjects/{subject}/versions/referencedby | GET | describe | registry |
| /compatibility/subjects/{subject}/versions/{version} | POST | read | subject |
| /status/ready | GET | none/open | - |
| /security/acls | GET | describe | cluster |
| /security/acls | POST | alter | cluster |
| /security/acls | DELETE | alter | cluster |

For additional guidance on these operations, see the [Redpanda Schema Registry API](https://docs.redpanda.com/api/doc/schema-registry/operation/operation-get_security_acls).

## [](#enable-schema-registry-authorization)Enable Schema Registry Authorization

### [](#prerequisites)Prerequisites

Before you can enable Schema Registry Authorization, you must have:

-   A valid Redpanda Enterprise license.

-   `rpk` v25.2+ installed. For installation instructions, see [rpk installation](https://docs.redpanda.com/streaming/25.2/get-started/rpk-install/).

-   Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See [Schema Registry broker properties](https://docs.redpanda.com/streaming/25.2/reference/properties/broker-properties/#schema-registry).

-   If you have listeners configured for Schema Registry, ensure you [configure authentication](https://docs.redpanda.com/streaming/25.2/manage/security/authentication/#basic-authentication) for them and that your configuration points to the correct Schema Registry address (correct scheme, host, and port) for the same cluster you are targeting with your Kafka brokers.

-   Cluster administrator permissions to modify cluster configurations. For example, to enable management of Schema Registry ACLs by the principal `schema_registry_admin`, run:

    \[,bash\]
    ----
    rpk security acl create --allow-principal schema\_registry\_admin --cluster --operation alter
    ----


### [](#enable-authorization)Enable authorization

To enable Schema Registry Authorization for your cluster, run:

```bash
rpk cluster config set schema_registry_enable_authorization true
```

For details, see [`schema_registry_enable_authorization`](https://docs.redpanda.com/streaming/25.2/reference/properties/cluster-properties/#schema_registry_enable_authorization).

## [](#create-and-manage-schema-registry-acls)Create and manage Schema Registry ACLs

This section shows you how to create and manage ACLs for Schema Registry resources.

### [](#create-an-acl-for-a-topic-and-schema-registry-subject)Create an ACL for a topic and Schema Registry subject

This example creates an ACL that allows the principal `panda` to read from both the topic `bar` and the Schema Registry subject `bar-value`. This pattern is common when you want to give a user or application access to both the Kafka topic and its associated schema.

```bash
rpk security acl create --allow-principal panda --operation read --topic bar --registry-subject bar-value

PRINCIPAL   HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
User:panda  *     SUBJECT        bar-value      LITERAL                READ       ALLOW
User:panda  *     TOPIC          bar            LITERAL                READ       ALLOW
```

### [](#create-an-acl-for-global-schema-registry-access)Create an ACL for global Schema Registry access

This example grants the user `jane` global read and write access to the Schema Registry, plus read and write access to the topic `private`. The `--registry-global` flag creates ACLs for all [global Schema Registry operations](#supported-operations).

```bash
rpk security acl create --allow-principal jane --operation read,write --topic private --registry-global
PRINCIPAL  HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
User:jane  *     REGISTRY                      LITERAL                READ       ALLOW
User:jane  *     REGISTRY                      LITERAL                WRITE      ALLOW
User:jane  *     TOPIC          private        LITERAL                READ       ALLOW
User:jane  *     TOPIC          private        LITERAL                WRITE      ALLOW
```

User `jane` now has global `read` and `write` access to the Schema Registry and to the topic `private`.

### [](#create-a-role-with-schema-registry-acls)Create a role with Schema Registry ACLs

You can combine Schema Registry ACLs with [role-based access control (RBAC)](https://docs.redpanda.com/streaming/25.2/manage/security/authorization/rbac/) to create reusable roles. This approach simplifies permission management when you need to assign the same set of permissions to multiple users.

This example creates a role called `SoftwareEng` and assigns it ACLs for both topic and Schema Registry access:

> 📝 **NOTE**
>
> Redpanda recommends using the topic naming strategy for Schema Registry subjects, where subjects follow the pattern `<topicName>-key` or `<topicName>-value`. For details, see [Set subject name strategy per topic](https://docs.redpanda.com/streaming/25.2/manage/schema-reg/schema-id-validation/#set-subject-name-strategy-per-topic).

```bash
# Create the role
rpk security role create SoftwareEng

# Create ACLs for the role
rpk security acl create \
  --operation read,write \
  --topic private \
  --registry-subject private-key,private-value \
  --allow-role SoftwareEng

# You can add more ACLs to this role later
rpk security acl create --allow-role "SoftwareEng" [additional-acl-flags]
```

After creating the role, assign it to users:

```bash
rpk security role assign SoftwareEng --principal User:john,User:jane
Successfully assigned role "SoftwareEng" to
NAME  PRINCIPAL-TYPE
john  User
jane  User
```

### [](#troubleshooting-acl-creation)Troubleshooting ACL creation

When creating ACLs that include Schema Registry subjects, you might encounter errors if the subject doesn’t exist or if there are configuration issues.

#### [](#subject-not-found)Subject not found

Sometimes an ACL for a Kafka topic is created successfully, but the Schema Registry subject ACL fails:

```bash
rpk security acl create --allow-principal alice --operation read --topic bar --registry-subject bar-value

PRINCIPAL   HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
User:alice  *     SUBJECT        bar-value      LITERAL                READ       ALLOW       Not found
User:alice  *     TOPIC          bar            LITERAL                READ       ALLOW
```

In this example, the ACL for topic `bar` was created successfully, but the ACL for Schema Registry subject `bar-value` failed with a "Not found" error.

**Common causes:**

-   Incorrect Schema Registry URL configuration

-   Using the incorrect version of Redpanda


#### [](#debugging-with-verbose-output)Debugging with verbose output

To get more detailed information about ACL creation failures, use the `-v` flag for verbose logging.

In this case, the user gets a `Not found` error after attempting to create two ACLs, one for the subject and one for the topic:

```bash
rpk security acl create --allow-principal alice --operation read --topic bar --registry-subject bar-value -v
12:17:33.911 DEBUG opening connection to broker {"addr": "127.0.0.1:9092", "broker": "seed_0"}
12:17:33.912 DEBUG connection opened to broker {"addr": "127.0.0.1:9092", "broker": "seed_0"}
12:17:33.912 DEBUG issuing api versions request {"broker": "seed_0", "version": 4}
12:17:33.912 DEBUG wrote ApiVersions v4 {"broker": "seed_0", "bytes_written": 31, "write_wait": 13.416µs", "time_to_write": "17.75µs", "err": null}
12:17:33.912 DEBUG read ApiVersions v4 {"broker": "seed_0", "bytes_read": 266, "read_wait": 16.209µs", "time_to_read": "8.360666ms", "err": null}
12:17:33.920 DEBUG connection initialized successfully {"addr": "127.0.0.1:9092", "broker": "seed_0"}
12:17:33.920 DEBUG wrote CreateACLs  v2 {"broker": "seed_0", "bytes_written": 43, "write_wait": 9.0985ms, "time_to_write": "14µs", "err": null}
12:17:33.935 DEBUG read CreateACLs v2 {"broker": "seed_0", "bytes_read": 19, "read_wait": 23.792µs, "time_to_read": "14.323041ms", "err": null}
12:17:33.935 DEBUG sending request {"method": "POST", "URL: "http://127.0.0.1:8081/security/acls", "has_bearer": false, "has_basic_auth": false}
PRINCIPAL   HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
User:alice  *     SUBJECT        bar-value      LITERAL                READ       ALLOW       Not found
User:alice  *     TOPIC          bar            LITERAL                READ       ALLOW
```

The `Not found` error occurs in the request: `12:17:33.935 DEBUG sending request {"method": "POST", "URL: "http://127.0.0.1:8081/security/acls", "has_bearer": false, "has_basic_auth": false}`. This typically means the endpoint is unavailable. Verify: \* You’re on Redpanda v25.2+. \* `schema_registry_enable_authorization` is set to `true`. \* Your rpk Schema Registry URL points to the correct host/scheme/port. Upgrade if needed and correct configuration before retrying.

#### [](#inconsistent-listener-configuration)Inconsistent listener configuration

This error occurs when the user tries to create an ACL for a principal:

```bash
rpk security acl create --allow-principal "superuser" --operation "all" --registry-global -v
13:07:02.810  DEBUG  opening connection to broker  {"addr": "seed-036d6a67.d2hiu9c8ljef72usuu20.fmc.prd.cloud.redpanda.com:9092", "broker": "seed_0"}
...
13:07:03.304  DEBUG  sending request  {"method": "POST", "URL": "https://127.0.0.1:8080/security/acls", "has_bearer": false, "has_basic_auth": true}
PRINCIPAL       HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
User:superuser  *     REGISTRY                      LITERAL                ALL        ALLOW       unable to POST "https://127.0.0.1:8080/security/acls": Post "https://127.0.0.1:8080/security/acls": http: server gave HTTP response to HTTPS client
```

When using Schema Registry Authorization, ensure that your Kafka brokers and Schema Registry address target the same cluster and that the Schema Registry address uses the correct scheme/host/port. In the example above, `rpk` communicates with a remote broker (`…​:9092`) but posts to a local Schema Registry address over HTTPS (`[https://127.0.0.1:8080/security/acls](https://127.0.0.1:8080/security/acls)`), while the local Schema Registry appears to be HTTP-only. To align them: \* Set the correct Schema Registry address (host and scheme) for the target cluster. \* Ensure TLS settings match the Schema Registry endpoint (HTTP vs HTTPS). \* Avoid mixing remote broker addresses with a local Schema Registry address unless it is intentional and properly configured.

See [rpk registry](https://docs.redpanda.com/streaming/25.2/reference/rpk/rpk-registry/rpk-registry/) for Schema Registry configuration commands.

#### [](#resource-names-do-not-appear)Resource names do not appear

The following output appears to suggest that there are missing resource names for the registry resource types:

```bash
rpk security acl create --allow-principal jane --operation read,write --topic private --registry-global
PRINCIPAL  HOST  RESOURCE-TYPE  RESOURCE-NAME  RESOURCE-PATTERN-TYPE  OPERATION  PERMISSION  ERROR
User:jane  *     REGISTRY                      LITERAL                READ       ALLOW
User:jane  *     REGISTRY                      LITERAL                WRITE      ALLOW
User:jane  *     TOPIC          private        LITERAL                READ       ALLOW
User:jane  *     TOPIC          private        LITERAL                WRITE      ALLOW
```

When using the `--registry-global` option, be aware that `REGISTRY` resource types are global and apply to all of Schema Registry. They do not have a resource name because they are not tied to a specific resource. There are no resource names missing here.

## [](#suggested-reading)Suggested reading

-   [Redpanda Schema Registry](https://docs.redpanda.com/streaming/25.2/manage/schema-reg/schema-reg-overview/)

-   [rpk registry](https://docs.redpanda.com/streaming/25.2/reference/rpk/rpk-registry/rpk-registry/)

-   [Schema Registry API](https://docs.redpanda.com/api/doc/schema-registry/)

-   [Broker Configuration Properties](https://docs.redpanda.com/streaming/25.2/reference/properties/broker-properties/) (search for `schema_registry`)

-   [Monitor Schema Registry service-level metrics](https://docs.redpanda.com/streaming/25.2/manage/monitoring/#service-level-queries)

-   [Configure broker properties for Schema Registry](https://docs.redpanda.com/streaming/25.2/manage/cluster-maintenance/node-property-configuration/)

-   [Deserialization](https://docs.redpanda.com/streaming/25.2/console/config/deserialization/#schema-registry)