Skip to content

Commit 233a8a8

Browse files
twmbclaudeFeediver1
authored
docs: add DESCRIBE_CONFIGS to migrator source topic ACLs (#1770)
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
1 parent 0c0a92e commit 233a8a8

1 file changed

Lines changed: 5 additions & 3 deletions

File tree

modules/manage/pages/schema-reg/schema-reg-authorization.adoc

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -282,9 +282,11 @@ This grants:
282282
====
283283
**Schema Registry ACLs are only for Schema Registry operations.** For complete data migration, you must also use Kafka ACLs:
284284
285-
* **Topics:** READ (source), WRITE/CREATE/DESCRIBE/ALTER (target)
286-
* **Consumer groups:** READ (source), CREATE/READ (target)
287-
* **Cluster:** DESCRIBE (both), CREATE (target)
285+
* **Topics:** `READ`, `DESCRIBE_CONFIGS` (source); `WRITE`/`CREATE`/`DESCRIBE`/`ALTER`/`DESCRIBE_CONFIGS` (target)
286+
* **Consumer groups:** `READ` (source), `CREATE`/`READ` (target)
287+
* **Cluster:** `DESCRIBE` (both), `CREATE` (target)
288+
289+
`READ` on a topic implicitly grants `DESCRIBE`, but not `DESCRIBE_CONFIGS`. Redpanda Migrator reads each source topic's configuration (`DESCRIBE_CONFIGS`) to recreate it on the target, so a consumer-only ACL on the source is not sufficient: without `DESCRIBE_CONFIGS` on the source topics, topic creation fails with `TOPIC_AUTHORIZATION_FAILED`.
288290
289291
See xref:manage:security/authorization/acl.adoc[Configure Access Control Lists] for Kafka ACL configuration.
290292
====

0 commit comments

Comments
 (0)