Manage Karapace schema registry authorization#

Karapace schema registry authorization allows you to authenticate the user, to control access to individual Karapace schema registry REST API endpoints, and to filter the content the endpoints return.


Some older Aiven for Apache Kafka® services may not have this feature enabled by default, read how to enable schema registry authorization on older services.

Karapace schema registry authorization is configured using dedicated Access Control Lists (ACLs); to learn more about defining ACLs, check the dedicated page.

To manage Karapace schema registry authorization ACL entries you can use the Aiven CLI.

Here’s an example of how to add an ACL entry granting a user named user_1 read options (schema_registry_read) to the subject s1, after replacing the placeholders PROJECT_NAME and APACHE_KAFKA_SERVICE_NAME with the name of the project and the Aiven for Apache Kafka® service:

avn service schema-registry-acl-add     \
    --project PROJECT_NAME              \
    --permission schema_registry_read   \
    --resource Subject:s1               \
    --username user_1                   \


The Aiven CLI command avn service schema-registry-acl-list allows you to list the ACL entries already defined. avn service schema-registry-acl-delete allows you to delete an ACL entry.

Additionally the Aiven Aiven Terraform provider supports managing Karapace schema registry authorization ACL entries with the aiven_kafka_schema_registry_acl resource. See the resource documentation for more details.

resource "aiven_kafka_schema_registry_acl" "my_resource" {
  project      = aiven_kafka_topic.demo.project
  service_name = aiven_kafka_topic.demo.service_name
  resource     = "Subject:${aiven_kafka_topic.demo.topic_name}"
  username     = aiven_kafka_user.demo.username
  permission   = "schema_registry_read"