DOC-1550 Unresolved Schema Registry AuthZ issues

[Feediver1]

Description

SMEs: Let's make sure all the content rendering in RP Cloud docs is accurate and complete. thx.

1. Is this feature enabled by default in Cloud or Self-Managed? Both docs show that it is not.
2. If a user must explicitly enable in Cloud, what is the method? rpk? Cloud API? I know the UI is coming, but today, how do Cloud users interface with this feature? Right now, the Cloud content tells users to use rpk to enable and manage SR AuthZ. There is also API content here--should this be the sole method available to Cloud users?

Resolves https://redpandadata.atlassian.net/browse/DOC-1550
Review deadline:

Page previews

Schema Registry Authorization Self-Managed

Schema Registry Authorization RP Cloud

In Cloud docs: schema_registry_enable_authorization

In Self-Managed: schema_registry_enable_authorization

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	c016a80
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/68acc76dfe554b000856cae9
😎 Deploy Preview	https://deploy-preview-1332--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Edits to modules/manage/pages/schema-reg/schema-reg-authorization.adoc reorganize prerequisites by environment (cloud vs non-cloud), add an explicit prerequisite to enable authentication (schema_registry_api.authn_method), and optionally guide configuring authentication when Schema Registry listeners are set. The ACL management example for schema_registry_admin is moved to prerequisites and removed from the enable section. Troubleshooting is expanded: a new “Inconsistent listener configuration” scenario is added, “Subject not found” is reworded, and guidance clarifies REGISTRY is global (registry-global) with sample outputs showing no resource names. Examples are updated (e.g., principal “jane”), and license-related “Not Found” messages are removed.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Relocate ACL management example under “Create and manage” or prerequisites; align section naming for Troubleshoot ACLs (DOC-1550)	✅
Add/clarify explanation for when no resource name appears in output; improve example names realism (DOC-1550)	✅
Add troubleshooting for potential listener issue (DOC-1550)	✅
Supported operations table completeness/accuracy; SR resource types with real-world examples for each (DOC-1550)	❓	REGISTRY/global clarified; other resource types’ real-world use cases and table review not evident.
Clean up first troubleshooting example that felt disjointed (DOC-1550)	❓	Header reworded and some content removed, but full resolution of disjointed flow is not explicit.

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Added prerequisite to enable authentication via schema_registry_api.authn_method (modules/manage/pages/schema-reg/schema-reg-authorization.adoc)	Authentication enablement prerequisite is not mentioned in DOC-1550 objectives.
Added env-cloud–gated guidance for configuring HTTP authentication when listeners are set for Schema Registry (modules/manage/pages/schema-reg/schema-reg-authorization.adoc)	Cloud-specific auth configuration guidance is outside the listed DOC-1550 troubleshooting/content fixes.
Reorganized prerequisites by environment (cloud vs non-cloud), including license gating and rpk installation notes (modules/manage/pages/schema-reg/schema-reg-authorization.adoc)	Environment gating and license/rpk prerequisite restructuring are not requested in DOC-1550.

Possibly related PRs

• DOC-1629: Fix single sourcing and cross repo tags #1329: Adjusts the same file with env-cloud gating and conditionalized license/examples, overlapping this PR’s environment-scoped reorganizations.
• Update schema-reg-authorization.adoc to conditionalize out the enterprise license prereq for cloud #1326: Touches the same doc to conditionalize enterprise license prerequisite, intersecting this PR’s prerequisite restructuring.
• DOC-1620: tag prop for SR AUthZ in Cloud #1310: Updates Schema Registry authorization property docs, overlapping in the same feature area.

Suggested reviewers

• mattschumpert
• paulohtb6
• micheleRP

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-1550

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

modules/manage/pages/schema-reg/schema-reg-authorization.adoc (1)

125-134: Wrong operation for POST /subjects/{subject}.

Registering a schema is a write operation, not read.

-| `/subjects/\{subject}`
-| `POST`
-| `read`
-| `subject`
+| `/subjects/\{subject}`
+| `POST`
+| `write`
+| `subject`

🧹 Nitpick comments (8)

modules/manage/pages/schema-reg/schema-reg-authorization.adoc (8)

211-211: Link to property reference for authn_method.

Good addition. To reduce follow-ups, link to where schema_registry_api.authn_method is documented.

-* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API.
+* Authentication enabled using `schema_registry_api.authn_method`, which specifies how clients must authenticate when accessing the Schema Registry API. See xref:reference:node-configuration-sample.adoc[] (search for `schema_registry_api.authn_method`).

---

200-200: Avoid duplicating license requirements.

There’s already a non-cloud license note at Lines 9–14 via enterprise-license.adoc. Repeating it here may be redundant.

-ifndef::env-cloud[]
-* A valid Redpanda Enterprise license.
-endif::[]
+// License requirement covered by the non-cloud note above.

---

364-366: Broaden the root cause and add version/config checks.

“Older version” is one likely cause, but not the only one (for example, wrong SR URL or authorization disabled). Recommend softening and offering concrete checks.

-The `Not found` error occurs in the request: `12:17:33.935 DEBUG sending request {"method": "POST", "URL: "http://127.0.0.1:8081/security/acls", "has_bearer": false, 
-"has_basic_auth": false}`, meaning that the endpoint is not available (because you are using an older Redpanda version). You must upgrade to the current version of Redpanda.
+The `Not found` error occurs in the request: `12:17:33.935 DEBUG sending request {"method": "POST", "URL: "http://127.0.0.1:8081/security/acls", "has_bearer": false,
+"has_basic_auth": false}`. This typically means the endpoint is unavailable. Verify:
+* You’re on Redpanda v25.2+.
+* `schema_registry_enable_authorization` is set to `true`.
+* Your rpk Schema Registry URL points to the correct host/scheme/port.
+Upgrade if needed and correct configuration before retrying.

---

367-382: Strengthen “Inconsistent listener configuration” guidance; highlight scheme/URL and rpk configuration.

The log shows an HTTPS client talking to an HTTP server on localhost. The actionable guidance here is to align SR URL scheme/host/port with the brokers/cluster you target and to set rpk’s SR URL explicitly when not local.

-When using Schema Registry Authorization with multiple listeners, make sure that they are using the same address. There are two listeners for every Schema Registry ACL: a Kafka listener and a Schema Registry listener. If you have manually configured Kafka listeners, be sure to point them to the same cluster because rpk operates on the assumption that you are talking to a local host. For example, here `rpk` opened a connection with a Kafka broker (`seed-036d6a67.d2hiu9c8ljef72usuu20.fmc.prd.cloud.redpanda.com:9092`), which is using port `9092`. However, it is trying to request a POST to Schema Registry on a local host, `https://127.0.0.1:8080/security/acls`. So there is a mismatch of the host ports.
+When using Schema Registry Authorization, ensure your rpk Kafka brokers and Schema Registry URL target the same cluster and that the SR URL uses the correct scheme/host/port. In the example, `rpk` talks to a remote broker (`...:9092`) but posts to a local SR URL over HTTPS (`https://127.0.0.1:8080/security/acls`), while the local SR appears to be HTTP-only. Align:
+* Set the correct SR URL (host and scheme) in rpk for the target cluster.
+* Ensure TLS settings match the SR endpoint (HTTP vs HTTPS).
+* Avoid mixing remote broker addresses with a local SR URL unless that’s intentional and properly configured.
+See xref:reference:rpk/rpk-registry/rpk-registry.adoc[rpk registry] for SR URL configuration commands.

Also, use the same code block style used elsewhere:

-[bash]
+[,bash]

---

387-395: Normalize code block style.

Other examples use [,bash]; use the same here for consistency.

-[bash]
+[,bash]

---

165-169: Add leading slash to compatibility endpoint and confirm operation scope.

Path is missing a leading slash. Also, confirm whether this should be categorized as describe or read.

-| `compatibility/subjects/\{subject}/versions/\{version}`
+| `/compatibility/subjects/\{subject}/versions/\{version}`
 | `POST`
-| `read`
+| `read`
 | `subject`

If your ACL model distinguishes “describe” vs “read” here, update accordingly after SME confirmation.

---

289-303: Unify role naming in ACL examples.

You alternate between --allow-role SoftwareEng and --allow-role "RedpandaRole:SoftwareEng". Pick one convention to avoid confusion; the first is simpler and matches the earlier creation step.

-# You can add more ACLs to this role later
-rpk security acl create --allow-role "RedpandaRole:SoftwareEng" [additional-acl-flags]
+# You can add more ACLs to this role later
+rpk security acl create --allow-role SoftwareEng [additional-acl-flags]

---

399-401: Remove empty env-gated block.

This ifndef::env-cloud[] block is empty and can be removed.

-ifndef::env-cloud[]
-
-endif::[]
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c546715 and 1b798b6.

📒 Files selected for processing (1)

• modules/manage/pages/schema-reg/schema-reg-authorization.adoc (3 hunks)

🔇 Additional comments (6)

modules/manage/pages/schema-reg/schema-reg-authorization.adoc (6)

204-206: LGTM: Cloud/non-cloud split for rpk version prereq is clear.

The env-gated bullets read well and point to the right install pages.

---

208-210: LGTM: Non-cloud rpk prerequisite mirrors cloud block appropriately.

Consistent phrasing and correct cross-reference.

---

217-223: LGTM: Cluster-level ALTER ACL example for SR ACL management.

Good, concrete example that aligns with the cluster-scoped SR ACL endpoints later in the table.

---

321-321: LGTM: Crisper heading (“Subject not found”).

The heading is clearer and matches the error text shown in the example.

---

383-399: LGTM: Clear explanation that REGISTRY ACLs are global and have no resource names.

This directly addresses confusion when RESOURCE-NAME is blank for REGISTRY entries.

---

100-119: Fix pluralization and RBAC scope for Schema Registry ID endpoints

• Replace singular /schema base path with plural /schemas for global schema operations: GET /schemas/ids/{id}, GET /schemas/ids/{id}/versions, and GET /schemas/ids/{id}/subjects (docs.confluent.io).
• Update the RBAC resource column for GET /schemas/ids/{id} and GET /schemas/ids/{id}/subjects from subject to registry, since these are registry-scoped APIs (docs.confluent.io).
• Verify with your RBAC SMEs whether Redpanda’s implementation requires different resource scopes.

| `/schema/ids/{id}`          | GET     | read     | subject
-| → `/schemas/ids/{id}`       | GET     | read     | registry

| `/schema/ids/{versions}`    | GET     | describe | registry
-| → `/schemas/ids/{id}/versions` | GET  | describe | registry

| `/schema/ids/{subjects}`    | GET     | describe | subject
-| → `/schemas/ids/{id}/subjects` | GET  | describe | registry

[micheleRP]

LGTM!

[BenPope]

• Replace singular /schema base path with plural /schemas for global schema operations: GET /schemas/ids/{id}, GET /schemas/ids/{id}/versions, and GET /schemas/ids/{id}/subjects (docs.confluent.io).

Plural is correct.

• Update the RBAC resource column for GET /schemas/ids/{id} and GET /schemas/ids/{id}/subjects from subject to registry, since these are registry-scoped APIs (docs.confluent.io).
• Verify with your RBAC SMEs whether Redpanda’s implementation requires different resource scopes.

| `/schema/ids/{id}`          | GET     | read     | subject
-| → `/schemas/ids/{id}`       | GET     | read     | registry

Plural is correct. This one is subject resource, where the schema can be retrieved by id if the principal has permission over any subject that references the schema.

| /schema/ids/{versions} | GET | describe | registry
-| → /schemas/ids/{id}/versions | GET | describe | registry

Plural and registry is correct.

| /schema/ids/{subjects} | GET | describe | subject
-| → /schemas/ids/{id}/subjects | GET | describe | registry

Plural and registry is correct.