Authentication and Authorization

[gtato]

Hi,

I am not sure to understand how the authentication and authorization of Karapace links to that of Kafka.
Let's I got a couple SCRAM-SHA users in Kafka: A and B.

User A can produce on topic T, and therefore should also be able to write/update its schema.
User B can only read topic T and its schema but not write it.

What do I have to do, have users A and B defined both in Kafka (zookeeper) and in a file in Karapace, and do the same with ACLs?

[tvainika]

Schema handling authorization is configured with a file in Karapace, and those users and ACLs are not linked to Kafka users and ACLs in Kafka. These are two totally separate set of users and ACLs.

Kafka users and ACLs control producing to and reading from a topic. Also Karapace (REST Proxy) does not itself verify Kafka users or ACLs, but instead sends a request to Kafka via Kafka protocol using authorization information passed in HTTP request. Schema registry users in Karapace control fetching or updating a schema. Schema subject is linked to Kafka topics by convention. There is no technical or direct bonding of those two.

Therefore to set up a configuration where given User A can produce on topic T and able to write and update schema in a subject named T both Kafka and Karapace need User A defined and suitable ACLs using permission models (which are a bit different as Kafka has rich set of permission controls, and Karapace Schema Registry uses rather simple model of read/write ACLs).

Hope this answers your question, and let us know if there is something we can improve in Karapace documentation to explain this as clearly as possible.