Karapace Schema Registry: separate permissions for WriteCompatibility operation for subjects
hollowowl opened this issue · 0 comments
What is currently missing?
In Karapace Schema Schema Registry permissions can be configured only for schema_registry_read and schema_registry_write operations on subject level. Problem there that user with schema_registry_write permissions can also edit related subjects' compatibility settings, meaning in order to allow one to add a new schema version to the subject we're always forced to permit this user to change compatibility settings (and omit global settings) for the given subject, which can be considered as security issue.
How could this be improved?
One option is to make it the same way like in Confluent Schema Registry - there Write and WriteCompatibility are separate operations, so user can have permissions to update subject but not its compatibility settings.
In terms of Karapace it could be that new operation is added (let's name it schema_registry_manage), so operation permissions will affect resources in the given way:
| Operation | Config: | Subject:subject_name |
|---|---|---|
| schema_registry_read | Read global compatibility settings | Read subject compatibility settings and schemas |
| schema_registry_write | Read and write global compatibility settings | Read subject compatibility settings and read and write schemas |
| schema_registry_manage | Read and write global compatibility settings (same as schema_registry_write) | Read and write subject compatibility settings and schemas |
Is this a feature you would work on yourself?
- I plan to open a pull request for this feature