From e45b9f9d189f025e87a6f4ffc4388d27baf23c41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1ty=C3=A1s=20Kuti?= <matyas.kuti@aiven.io>
Date: Mon, 4 Mar 2024 14:27:19 +0100
Subject: [PATCH] Document schema registry ACL requirements

---
 README.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.rst b/README.rst
index 7e7bc178f..1207f691f 100644
--- a/README.rst
+++ b/README.rst
@@ -568,6 +568,17 @@ Example of complete authorization file
         ]
     }
 
+Karapace Schema Registry access to the schemas topic
+====================================================
+
+The principal used by the Karapace Schema Registry has to have adequate access to the schemas topic (see the ``topic_name`` configuration option above).
+In addition to what is required to access the topic, as described in the Confluent Schema Registry documentation_, the unique, single-member consumer group
+used by consumers in the schema registry needs ``Describe`` and ``Read`` permissions_ on the group.
+These unique (per instance of the schema registry) consumer group names are prefixed by ``karapace-autogenerated-``, followed by a random string.
+
+.. _`documentation`: https://docs.confluent.io/platform/current/schema-registry/security/index.html#authorizing-access-to-the-schemas-topic
+.. _`permissions`: https://docs.confluent.io/platform/current/kafka/authorization.html#group-resource-type-operations
+
 OAuth2 authentication and authorization of Karapace REST proxy
 ===================================================================