Update schema registry ACL details

[vuldin]

Description

Added two new sections to explain what ACLs operations relate to the schema registry (and when to use them).

"Understanding Schema Registry operations" - Explains what each operation does in plain language:

• read - Reading schemas and content
• write - Registering new schemas
• delete - Deleting schemas
• describe - Listing and discovering resources
• describe_configs - Reading configuration
• alter_configs - Modifying configuration

"Common use cases" - Provides practical examples for:

• Schema Registry migration - Shows the exact ACL needed for migration with all 5 operations (read, write, describe, alter_configs, describe_configs)
• Read-only access for consumers - consumer permissions
• Producer access - producer permissions
• Schema administrator access - Full management permissions

Also added a new example showing migration permissions (rpk security acl create --allow-principal migrator-user --operation read,write,describe,alter_configs,describe_configs --registry-global).

Page previews

• https://deploy-preview-1528--redpanda-docs-preview.netlify.app/current/manage/schema-reg/schema-reg-authorization/#understanding-schema-registry-operations
• https://deploy-preview-1528--redpanda-docs-preview.netlify.app/current/reference/rpk/rpk-security/rpk-security-acl-create/#examples

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	d5b30ff
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6960242c99b255000768ddab
😎 Deploy Preview	https://deploy-preview-1528--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

This PR adds documentation for Schema Registry ACL operations and configuration examples across two reference files. The changes introduce detailed guidance on six Schema Registry operations (read, write, delete, describe, describe_configs, alter_configs) with practical ACL configuration examples for common use cases, including schema migration, read-only consumer access, producer access, and schema administrator access. A new usage example for schema migration ACL permissions is also added to the rpk security ACL create reference documentation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

• Review focuses on documentation accuracy and completeness of ACL examples
• Verify that the example commands and use case scenarios are technically correct
• Ensure consistency with existing documentation conventions and terminology

Possibly related PRs

• DOC-1550 Unresolved Schema Registry AuthZ issues #1332: Modifies the same Schema Registry authorization documentation (schema-reg-authorization.adoc) with overlapping edits to registry-global ACL examples and schema management ACL commands.

Suggested reviewers

• sago2k8
• andresaristizabal
• r-vasquez
• micheleRP

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating schema registry ACL documentation with operational details and common use cases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description includes a clear summary of changes, marked checkbox for Content gap, and provides page preview links for validation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between be83200 and c3632e7.

📒 Files selected for processing (2)

• modules/manage/pages/schema-reg/schema-reg-authorization.adoc (1 hunks)
• modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: micheleRP
Repo: redpanda-data/docs PR: 1334
File: modules/manage/partials/rbac-dp.adoc:93-98
Timestamp: 2025-08-25T21:00:26.626Z
Learning: In cloud documentation (env-cloud), Security is at the top level navigation, so ACL references should use `security:authorization/rbac/acl.adoc`. In self-managed documentation, Security is nested under Manage, so ACL references use `manage:security/authorization/acl.adoc`. The different xref paths in conditional blocks reflect these different navigation structures.

📚 Learning: 2025-08-25T21:00:26.626Z

Learnt from: micheleRP
Repo: redpanda-data/docs PR: 1334
File: modules/manage/partials/rbac-dp.adoc:93-98
Timestamp: 2025-08-25T21:00:26.626Z
Learning: In cloud documentation (env-cloud), Security is at the top level navigation, so ACL references should use `security:authorization/rbac/acl.adoc`. In self-managed documentation, Security is nested under Manage, so ACL references use `manage:security/authorization/acl.adoc`. The different xref paths in conditional blocks reflect these different navigation structures.

Applied to files:

• modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc
• modules/manage/pages/schema-reg/schema-reg-authorization.adoc

📚 Learning: 2025-12-12T16:18:28.126Z

Learnt from: andrewstucki
Repo: redpanda-data/docs PR: 1514
File: modules/troubleshoot/partials/errors-and-solutions.adoc:618-632
Timestamp: 2025-12-12T16:18:28.126Z
Learning: In Redpanda ShadowLink CRD usage, do not copy CA certificates into pods via kubectl cp because they won't persist across pod restarts. Store CA certs in Kubernetes Secrets and reference them in the ShadowLink's staticConfiguration block (or inline the cert data in that block) to ensure persistence and proper secret management.

Applied to files:

• modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc
• modules/manage/pages/schema-reg/schema-reg-authorization.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - redpanda-docs-preview
• GitHub Check: Header rules - redpanda-docs-preview
• GitHub Check: Pages changed - redpanda-docs-preview

🔇 Additional comments (5)

modules/reference/pages/rpk/rpk-security/rpk-security-acl-create.adoc (1)

47-51: New schema migration example is clear and well-placed.

The addition appropriately documents a common use case for Schema Registry ACL permissions with the correct combination of operations for migration scenarios.

modules/manage/pages/schema-reg/schema-reg-authorization.adoc (4)

199-209: Excellent operation descriptions with clear, actionable explanations.

The new "Understanding Schema Registry operations" section clearly explains each of the six supported operations and provides concrete use-case examples for each. These descriptions align accurately with the endpoint-operation mapping table.

---

214-238: Add conditional handling to the schema-reg-api xref.

Line 237 references xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[], which is a self-managed path. Since this page is shared between both cloud and self-managed documentation, this xref needs to be wrapped in conditional blocks (using ifdef::env-cloud[] / ifndef::env-cloud[]) to point to the correct API documentation for each environment.

🔎 Suggested fix for conditional xref

 [NOTE]
 ====
 The target Schema Registry must be in IMPORT mode to preserve schema IDs during migration. Only superusers or principals with `alter_configs` permission on the `registry` resource can change the global mode. See xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[Set global mode].
 ====

Replace with:

 [NOTE]
 ====
 The target Schema Registry must be in IMPORT mode to preserve schema IDs during migration. Only superusers or principals with `alter_configs` permission on the `registry` resource can change the global mode. 
+ifndef::env-cloud[]
 See xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[Set global mode].
+endif::[]
+ifdef::env-cloud[]
+See xref:manage:schema-reg/schema-reg-api.adoc#set-global-mode[Set global mode].
+endif::[]
 ====

Based on learnings from previous PRs, the conditional xref paths should be: manage:schema-reg/schema-reg-api.adoc for self-managed and the cloud equivalent for cloud documentation.

---

278-296: Schema administrator example is clear and complete.

The use of --operation all for full schema management is appropriate and well-explained, with clear descriptions of the capabilities granted by the full permission set.

---

31-35: xref paths correctly handle env-cloud conditions.

The conditional blocks properly route to manage:security/authorization/acl.adoc for self-managed and security:/authorization/acl.adoc for cloud documentation.

[Feediver1]

lgtm