# Manage Schema Registry ACLs with the Redpanda Operator > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt) --- title: Manage Schema Registry ACLs with the Redpanda Operator latest-redpanda-tag: v26.1.9 latest-console-tag: v3.7.3 latest-operator-version: v26.1.4 # EOL = End-of-Life (support lifecycle status) page-is-nearing-eol: "false" page-is-past-eol: "false" page-eol-date: March 31, 2027 latest-connect-version: 4.93.0 docname: kubernetes/security/authentication/k-schema-registry-acls page-component-name: streaming page-version: "26.1" page-component-version: "26.1" page-component-title: Streaming page-relative-src-path: kubernetes/security/authentication/k-schema-registry-acls.adoc page-edit-url: https://github.com/redpanda-data/docs/edit/main/modules/manage/pages/kubernetes/security/authentication/k-schema-registry-acls.adoc description: Manage Schema Registry ACLs declaratively in Kubernetes using User, RedpandaRole, and Group custom resources with the Redpanda Operator. page-topic-type: how-to personas: platform_operator page-git-created-date: "2026-03-31" page-git-modified-date: "2026-04-13" support-status: supported --- With the Redpanda Operator, you can declaratively manage Schema Registry ACLs alongside standard Kafka ACLs using the existing [User](https://docs.redpanda.com/streaming/current/reference/k-crd/#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user), [RedpandaRole](https://docs.redpanda.com/streaming/current/reference/k-crd/#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role), and Group custom resources. This allows you to control which users and roles perform specific operations within Schema Registry. For Schema Registry Authorization concepts and the available operations, see [Schema Registry Authorization](https://docs.redpanda.com/streaming/current/manage/schema-reg/schema-reg-authorization/). ## [](#prerequisites)Prerequisites You must have the following: - **kubectl**: The [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) command-line tool, installed and configured to communicate with your cluster. - **Redpanda Operator v25.3 or later**: See [Deploy Redpanda for Production in Kubernetes](https://docs.redpanda.com/streaming/current/deploy/redpanda/kubernetes/k-production-deployment/). - **Redpanda cluster with SASL enabled**: See [Enable SASL authentication](https://docs.redpanda.com/streaming/current/manage/kubernetes/security/authentication/k-authentication/#enable). - **Schema Registry Authorization enabled**: See [Enable Schema Registry Authorization](https://docs.redpanda.com/streaming/current/manage/schema-reg/schema-reg-authorization/#enable-schema-registry-authorization). ## [](#schema-registry-acl-resource-types)Schema Registry ACL resource types The Redpanda Operator supports two Schema Registry ACL resource types in addition to the standard Kafka ACL resource types (`topic`, `group`, `cluster`, `transactionalId`): - `subject`: Controls ACL access for specific Schema Registry subjects. Specify the subject name in `resource.name`. Supports both `literal` and `prefixed` pattern types. - `registry`: Controls access to global Schema Registry operations. The `registry` resource type does not require a `name` because it applies to all global registry operations. For a full list of supported operations by resource type, see [Supported operations](https://docs.redpanda.com/streaming/current/manage/schema-reg/schema-reg-authorization/#supported-operations). ## [](#define-schema-registry-acls-in-a-user-resource)Define Schema Registry ACLs in a User resource The [User resource](https://docs.redpanda.com/streaming/current/manage/kubernetes/security/authentication/k-user-controller/) supports Schema Registry ACLs alongside standard Kafka ACLs. `user-with-sr-acls.yaml` ```yaml --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User metadata: name: travis spec: cluster: clusterRef: name: sasl authentication: type: scram-sha-512 password: valueFrom: secretKeyRef: name: travis-password key: password authorization: acls: - type: allow resource: type: topic name: some-topic patternType: prefixed operations: [Read] - type: allow resource: type: subject name: some-topic patternType: prefixed operations: [Read] ``` In this example, the User resource creates ACLs for an existing user called `travis` in the cluster called `sasl`. The first ACL rule grants read access to all topics whose names start with `some-topic` using a `prefixed` pattern type. The second ACL rule grants read access to Schema Registry subjects matching the same prefix. When both Kafka and Schema Registry ACLs are defined in the same User resource, the operator syncs them independently. Kafka ACLs are applied through the Kafka API and Schema Registry ACLs are applied through the Schema Registry API. ## [](#define-schema-registry-acls-in-a-redpandarole-resource)Define Schema Registry ACLs in a RedpandaRole resource The [RedpandaRole resource](https://docs.redpanda.com/streaming/current/manage/kubernetes/security/authorization/k-role-controller/) groups Schema Registry ACLs into reusable permission sets for multiple users. `role-with-sr-acls.yaml` ```yaml --- apiVersion: cluster.redpanda.com/v1alpha2 kind: RedpandaRole metadata: name: read-only-role spec: cluster: clusterRef: name: sasl principals: - User:charlie authorization: acls: - type: allow resource: type: topic name: public- patternType: prefixed operations: [Read, Describe] - type: allow resource: type: subject name: public- patternType: prefixed operations: [Read, Describe] ``` In this example, a RedpandaRole called `read-only-role` is created in the cluster called `sasl`. The user `charlie` is assigned as a principal. The authorization rules grant `Read` and `Describe` access to all topics with names starting with `public-` using a `prefixed` pattern type, and the same `Read` and `Describe` access to Schema Registry subjects matching the same prefix. ## [](#define-schema-registry-acls-in-a-group-resource)Define Schema Registry ACLs in a Group resource The Group resource supports Schema Registry ACLs for OIDC groups. In this example, ACLs are created for an OIDC group called `engineering` in the cluster called `sasl`. The authorization rules grant `Read` and `Describe` access to all topics with names starting with `team-` using a `prefixed` pattern type, and the same `Read` and `Describe` access to Schema Registry subjects matching the same prefix. `group-with-sr-acls.yaml` ```yaml # In this example manifest, ACLs are created for an OIDC group called "engineering" # in a cluster called "sasl". The group is granted read access to topics matching "team-" # and read access to Schema Registry subjects matching "team-". --- apiVersion: cluster.redpanda.com/v1alpha2 kind: Group metadata: name: engineering spec: cluster: clusterRef: name: sasl authorization: acls: - type: allow resource: type: topic name: team- patternType: prefixed operations: [Read, Describe] - type: allow resource: type: subject name: team- patternType: prefixed operations: [Read, Describe] ``` ## [](#common-use-cases)Common use cases The following examples show common patterns for configuring Schema Registry ACLs using the User resource. ### [](#grant-a-user-read-access-to-a-subject)Grant a user read access to a subject This example gives a consumer application read access to the `orders` topic and its associated Schema Registry subject `orders-value`. Both ACLs use a `literal` pattern type to match exact resource names. `consumer-app.yaml` ```yaml --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User metadata: name: consumer-app spec: cluster: clusterRef: name: redpanda authorization: acls: - type: allow resource: type: topic name: orders patternType: literal operations: [Read] - type: allow resource: type: subject name: orders-value patternType: literal operations: [Read] ``` ### [](#grant-a-producer-write-access-using-prefix-patterns)Grant a producer write access using prefix patterns This example creates a user called `producer-app` with both authentication credentials and authorization rules. The ACLs grant `Write` and `Describe` access to all topics and Schema Registry subjects whose names start with `events-` using a `prefixed` pattern type. This allows the producer to register new schema versions for any subject matching the prefix. `producer-app.yaml` ```yaml --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User metadata: name: producer-app spec: cluster: clusterRef: name: redpanda authentication: type: scram-sha-512 password: valueFrom: secretKeyRef: name: producer-app-secret key: password authorization: acls: - type: allow resource: type: topic name: events- patternType: prefixed operations: [Write, Describe] - type: allow resource: type: subject name: events- patternType: prefixed operations: [Write, Describe] ``` ### [](#grant-global-schema-registry-access)Grant global Schema Registry access This example gives a schema administrator full access to all Schema Registry operations. The first ACL rule uses the `registry` resource type, which applies to global operations such as getting or setting the global compatibility level. The `registry` resource type does not require a `name` field. The second ACL rule uses a `subject` resource type with an empty name and `prefixed` pattern type to match all subjects. `schema-admin.yaml` ```yaml --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User metadata: name: schema-admin spec: cluster: clusterRef: name: redpanda authorization: acls: - type: allow resource: type: registry operations: [Read, Write, Delete, Describe, DescribeConfigs, AlterConfigs] - type: allow resource: type: subject name: "" patternType: prefixed operations: [Read, Write, Delete, Describe, DescribeConfigs, AlterConfigs] ``` ## [](#partial-sync-behavior)Partial sync behavior When a resource includes both Kafka and Schema Registry ACLs, the operator syncs them independently. If the Kafka ACLs sync successfully but the Schema Registry ACLs fail (for example, if Schema Registry Authorization is not enabled), the resource enters a `PartiallySynced` state. Check the resource status conditions for details: ```bash kubectl get user -o jsonpath='{.status.conditions}' --namespace ``` ## [](#deploy-and-verify)Deploy and verify To deploy a resource with Schema Registry ACLs, apply the manifest to the same namespace as your Redpanda cluster: ```bash kubectl apply -f .yaml --namespace ``` After deploying, verify that the Redpanda Operator reconciled the resource: ```bash kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace ``` ## [](#next-steps)Next steps - [Schema Registry Authorization](https://docs.redpanda.com/streaming/current/manage/schema-reg/schema-reg-authorization/) - [Manage Users and ACLs with the Redpanda Operator](https://docs.redpanda.com/streaming/current/manage/kubernetes/security/authentication/k-user-controller/) - [Manage Roles with the Redpanda Operator](https://docs.redpanda.com/streaming/current/manage/kubernetes/security/authorization/k-role-controller/) - [ACLResourceSpec](https://docs.redpanda.com/streaming/current/reference/k-crd/#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec) - [Configure Access Control Lists](https://docs.redpanda.com/streaming/current/manage/security/authorization/acl/) ## Suggested labs - [Enable Unified Identity with Azure Entra ID for Redpanda and Redpanda Console](https://docs.redpanda.com/labs/docker-compose/oidc/) - [Migrate Data with Redpanda Migrator](https://docs.redpanda.com/labs/docker-compose/redpanda-migrator/) [Search all labs](https://docs.redpanda.com/labs)