-
Notifications
You must be signed in to change notification settings - Fork 592
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CORE-60] Schema Registry: Support /mode
#17952
Conversation
/mode
/mode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks nice, a few questions
result<void> check_mutable(force f) const { | ||
if (!_mutable && !f) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: Isn't the force flag for if there are already registered schemas and the mode is going into IMPORT
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but it's also used when applying records from the topic onto the store.
src/v/pandaproxy/api/api-doc/schema_registry_definitions.def.json
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. few questions mostly for my own benefit.
rq.user = maybe_authorize_request( | ||
rq.authn_method, | ||
_auth_level, | ||
rq.service().authenticator(), | ||
*rq.req); | ||
} catch (unauthorized_user_exception& e) { | ||
audit_authn_failure(rq, e.get_username(), e.what()); | ||
throw; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pgellert Looks like if this fails AuthZ (c.f. AuthN) this needs something like audit_authz for failure
070f318
to
6def7c3
Compare
Changes in force-push
|
"type": "object", | ||
"properties": { | ||
"mode": { | ||
"type": "string" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like this, I believe so!
"type": "string" | |
"type": "string", | |
"enum": [ | |
"READWRITE", | |
"READONLY" | |
] |
"type": "string" | ||
}, | ||
{ | ||
"name": "defaultToGlobal", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the description for the query param
query the mode for a particular subject, regardless of whether it has a specific override
and the endpoint (without the query param)
If there is no specific mode set for the subject an error shall be returned.
Does defaultToGlobal
mean, if there is no specific mode set for the subject, return the global mode instead? I wasn't sure what "specific override" was referring to
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the description for the query param
query the mode for a particular subject, regardless of whether it has a specific override
and the endpoint (without the query param)
If there is no specific mode set for the subject an error shall be returned.
Does
defaultToGlobal
mean, if there is no specific mode set for the subject, return the global mode instead? I wasn't sure what "specific override" was referring to
Yeah, so the global mode is in force for all subjects, unless a subject has a mode set, in which case that will override whatever is global, for the subject.
To query whether a subject has a mode set, either don't specify defaultToGlobal=true
, or specify defaultToGlobal=false
, and detect the success or error.
But if you're just querying what mode is in force, specify defaultToGlobal=true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kbatuigas I added some short descriptions for the parameters.
Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
No functional changes Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
0347421
to
19e51c9
Compare
Changes in force-push:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Do you think it would be useful to add docs as code reviewers for Swagger? |
Yes--would mean these updates are reviewed before any customers ever see them. Perfect. |
|
@Feediver1 done (#18473) |
/backport v24.1.x |
/backport v23.3.x |
Failed to create a backport PR to v23.3.x branch. I tried:
|
Support READONLY
/mode
Documentation
Schema registry supports a read-only mode, which is useful when it is undesirable for modifications to be made to either the whole Schema Registry, or particular subjects.
To allow the mode of the Schema Registry to be changed, the node-level property
schema_registry.mode_mutability
must be set to true inredpanda.yaml
(this is now the default):If authentication is enabled on Schema Registry, then the global or subject-level mode can only be changed by superusers.
To get the global mode:
curl http://localhost:$PORT/mode
To set the global mode to read only:
To revert the global mode to read-write:
To query the mode for a particular subject:
If there is no specific mode set for the subject an error shall be returned.
curl http://localhost:$PORT/mode/subject
To query the mode for a particular subject, regardless of whether it has a specific override
To override the global mode for a particular subject:
To clear the override for a particular subject:
New swagger:
definitions:
Notes for the reviewer
A read-only Schema Registry may receive updates directly to its topic, and those changes should become visible in a timely fashion. This will often require a
rq.service().writer().read_sync()
.Backports Required
There are a couple of commits that may need to be backported.
Release Notes
Features
/mode
endpoints for READONLY