This document tracks SASL user, role, and ACL configuration across Redpanda version upgrades to identify any changes to security configuration during upgrades.
- Cluster Size: 3 nodes
- Configuration: TLS + SASL (Method 2 - per-listener authentication)
- License: Enterprise (trial)
- Upgrade Path: 25.3.1 -> 25.3.3 -> 25.3.5
Installation Date: 2026-01-30
| Username | Description |
|---|---|
admin |
Superuser (bootstrap user) |
schema_registry_client |
Service account for Schema Registry internal Kafka client |
pandaproxy_client |
Service account for HTTP Proxy internal Kafka client |
None (empty)
| Principal | Host | Resource Type | Resource Name | Pattern Type | Operation | Permission |
|---|---|---|---|---|---|---|
| User:pandaproxy_client | * | CLUSTER | kafka-cluster | LITERAL | ALL | ALLOW |
| User:pandaproxy_client | * | TOPIC | * | LITERAL | ALL | ALLOW |
| User:schema_registry_client | * | CLUSTER | kafka-cluster | LITERAL | ALL | ALLOW |
| User:schema_registry_client | * | TOPIC | * | LITERAL | ALL | ALLOW |
- Cluster health: Healthy (all 3 nodes up)
- Schema Registry accessible with admin credentials
- Schema registration successful (schema ID: 1)
- rpk commands work with SASL authentication
Upgrade Date: 2026-01-30
| Username | Description |
|---|---|
admin |
Superuser (bootstrap user) |
schema_registry_client |
Service account for Schema Registry internal Kafka client |
pandaproxy_client |
Service account for HTTP Proxy internal Kafka client |
None (empty)
| Principal | Host | Resource Type | Resource Name | Pattern Type | Operation | Permission |
|---|---|---|---|---|---|---|
| User:pandaproxy_client | * | CLUSTER | kafka-cluster | LITERAL | ALL | ALLOW |
| User:pandaproxy_client | * | TOPIC | * | LITERAL | ALL | ALLOW |
| User:schema_registry_client | * | CLUSTER | kafka-cluster | LITERAL | ALL | ALLOW |
| User:schema_registry_client | * | TOPIC | * | LITERAL | ALL | ALLOW |
- Cluster health: Healthy (all 3 nodes up)
- Schema Registry accessible with admin credentials
- Schema registration successful (schema ID: 1, subject: test-253)
- Schema retrieval successful
- rpk commands work with SASL authentication
No changes to SASL configuration. Users, roles, and ACLs are identical to 25.3.1.
Upgrade Date: 2026-01-30
| Username | Description |
|---|---|
admin |
Superuser (bootstrap user) |
pandaproxy_client |
Service account for HTTP Proxy internal Kafka client |
schema_registry_client |
Service account for Schema Registry internal Kafka client |
None (empty)
| Principal | Host | Resource Type | Resource Name | Pattern Type | Operation | Permission |
|---|---|---|---|---|---|---|
| User:pandaproxy_client | * | CLUSTER | kafka-cluster | LITERAL | ALL | ALLOW |
| User:pandaproxy_client | * | TOPIC | * | LITERAL | ALL | ALLOW |
| User:schema_registry_client | * | CLUSTER | kafka-cluster | LITERAL | ALL | ALLOW |
| User:schema_registry_client | * | TOPIC | * | LITERAL | ALL | ALLOW |
- Cluster health: Healthy (all 3 nodes up)
- Schema Registry accessible with admin credentials
- Schema registration successful (schema ID: 1, subject: test-255)
- Schema retrieval successful
- rpk commands work with SASL authentication
No changes to SASL configuration. Users, roles, and ACLs are identical to 25.3.3.
| Version | Users | Roles | ACLs | SASL Changes |
|---|---|---|---|---|
| 25.3.1 | admin, schema_registry_client, pandaproxy_client | None | 4 ACLs (2 per service account) | N/A (baseline) |
| 25.3.3 | admin, schema_registry_client, pandaproxy_client | None | 4 ACLs (2 per service account) | No changes |
| 25.3.5 | admin, schema_registry_client, pandaproxy_client | None | 4 ACLs (2 per service account) | No changes |
SASL configuration remains stable across Redpanda 25.3.x versions.
Upgrading from 25.3.1 through 25.3.5 does not introduce any changes to:
- User accounts
- Security roles
- ACL permissions
All authentication and authorization functionality remains consistent:
- Schema Registry authentication works correctly
- rpk commands authenticate successfully
- Service accounts (schema_registry_client, pandaproxy_client) maintain their permissions
-
No ephemeral users: Starting in Redpanda 25.2, ephemeral credentials were removed. Schema Registry and HTTP Proxy use explicit SCRAM credentials configured in
redpanda.yaml. -
Consistent ACL structure: Both service accounts have identical permissions:
- ALL operations on CLUSTER (kafka-cluster)
- ALL operations on all TOPICs (*)
-
No RBAC roles created: The role list remains empty across all versions. RBAC roles are an optional enterprise feature that would need to be explicitly created.
-
TLS + SASL compatibility: The combination of TLS encryption with SASL authentication works correctly across all tested versions.
# List users
rpk security user list --api-urls https://<host>:9644 \
-X admin.tls.enabled=true \
-X admin.tls.ca=/etc/redpanda/certs/truststore.pem \
-X user=admin \
-X pass=<password> \
-X sasl.mechanism=SCRAM-SHA-256
# List roles
rpk security role list --api-urls https://<host>:9644 \
-X admin.tls.enabled=true \
-X admin.tls.ca=/etc/redpanda/certs/truststore.pem \
-X user=admin \
-X pass=<password> \
-X sasl.mechanism=SCRAM-SHA-256
# List ACLs
rpk security acl list --brokers <host>:9092 \
-X tls.enabled=true \
-X tls.ca=/etc/redpanda/certs/truststore.pem \
-X user=admin \
-X pass=<password> \
-X sasl.mechanism=SCRAM-SHA-256
# Test Schema Registry
curl -sk -u admin:<password> https://<host>:8081/subjects
curl -sk -u admin:<password> -X POST https://<host>:8081/subjects/test/versions \
-H "Content-Type: application/vnd.schemaregistry.v1+json" \
-d '{"schema": "{\"type\": \"string\"}"}'