Karapace Schema Registry: separate permissions for WriteCompatibility operation for subjects

[hollowowl]

What is currently missing?

In Karapace Schema Schema Registry permissions can be configured only for schema_registry_read and schema_registry_write operations on subject level. Problem there that user with schema_registry_write permissions can also edit related subjects' compatibility settings, meaning in order to allow one to add a new schema version to the subject we're always forced to permit this user to change compatibility settings (and omit global settings) for the given subject, which can be considered as security issue.

How could this be improved?

One option is to make it the same way like in Confluent Schema Registry - there Write and WriteCompatibility are separate operations, so user can have permissions to update subject but not its compatibility settings.

In terms of Karapace it could be that new operation is added (let's name it schema_registry_manage), so operation permissions will affect resources in the given way:

Operation	Config:	Subject:subject_name
schema_registry_read	Read global compatibility settings	Read subject compatibility settings and schemas
schema_registry_write	Read and write global compatibility settings	Read subject compatibility settings and read and write schemas
schema_registry_manage	Read and write global compatibility settings (same as schema_registry_write)	Read and write subject compatibility settings and schemas

Is this a feature you would work on yourself?

• I plan to open a pull request for this feature