Restricting Access to Confluent Schema Registry's community (open-source) version

[shivam-cse]

We have a GKE cluster where we have deployed a Strimzi-based Kafka cluster. Additionally, we installed Schema Registry using the Bitnami Helm chart on the same cluster where Strimzi Kafka is running.

Does it support ACLs to restrict access?

For example, allowing producers/consumers read access while providing read/write/update permissions to admins.

How can we enforce ACL-based access restrictions on the _schemas topic?

By default, Confluent Schema Registry reads/writes to the _schemas Kafka topic.

Currently, we have granted full access to this topic using the following Strimzi Kafka ACLs:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: schema-registry-user #  Name of the Kafka user, confluent-schema-registry
  namespace: kafka #  Namespace where the Kafka cluster is deployed
  labels:
    strimzi.io/cluster: my-kafka-poc-tf  #  Links this user to the Kafka cluster
spec:
  authentication:
    type: tls  #  Enforces TLS authentication (certificate-based access)
    # type: scram-sha-512  #  Enforces SCRAM-SHA-512 authentication (username/password-based access)
  authorization:
    type: simple  #  Enables ACL-based access control
    acls:
      # ✅ Grant Schema Registry full access to the "registry-schemas" topic
      - resource:
          type: topic
          name: _schemas
          patternType: literal
        operation: All  #  Allows full access (Read, Write, Delete, Describe, etc.)
        type: allow

      # ✅ Allow Schema Registry to create and manage its consumer groups
      - resource:
          type: group
          name: schema-registry
          patternType: prefix
        operation: All  #  Allows full control of consumer groups starting with "schema-registry"
        type: allow

      # ✅ Allow Schema Registry to read Kafka's consumer offsets
      - resource:
          type: topic
          name: __consumer_offsets
          patternType: literal
        operation: Describe  #  Only allows reading offset metadata (not writing)
        type: allow

Is there a way to restrict access to _schemas while still allowing Schema Registry to function properly?

Alternative Solutions:

If the open-source Confluent Schema Registry does not support fine-grained access control, what alternatives support this?

I am aware of Karapace Schema Registry but unsure whether it supports client-specific access control the way we mentioned on top in this chat.