[25.3] Security report and other additions to What's New (#1450)

Co-authored-by: Joyce Fee <[email protected]>

Author: 2 people

modules/deploy/pages/redpanda/manual/production/production-readiness.adoc

@@ -318,6 +318,15 @@ In the logs, verify `enabled: 1`.
 
 See also: xref:manage:security/listener-configuration.adoc#multiple-listeners[Multiple listeners]
 
+[NOTE]
+====
+You can also use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a security report for your cluster and verify TLS, authentication, and authorization settings:
+
+```bash
+curl 'http://localhost:9644/v1/security/report'
+```
+====
+
 [[redpanda-tuners]]
 === Run Redpanda tuners
 
@@ -643,6 +652,11 @@ Review your deployment automation. Specifically, if you need to reprovision a cl
 
 Check that your xref:manage:audit-logging.adoc#audit-log-flow[audit logs] are forwarded to an enterprise security information and event management (SIEM) system. 
 
+=== Monitor security settings
+
+Regularly review your cluster's security settings using the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint. Investigate and address any issues identified in the alerts section.
+
+include::manage:partial$security-report.adoc[]
 
 == Suggested reading
 

modules/develop/partials/http-proxy.adoc

@@ -1044,6 +1044,117 @@ res = requests.delete(
 --
 =====
 
+== Authenticate with HTTP Proxy
+
+HTTP Proxy supports authentication using SCRAM credentials or OIDC tokens.
+The authentication method depends on
+ifndef::env-cloud[]
+the xref:reference:properties/broker-properties.adoc#http_proxy_auth_method[`authentication_method`] broker property and 
+endif::[]
+the cluster's xref:reference:properties/cluster-properties.adoc#http_authentication[`http_authentication`] settings.
+
+=== SCRAM Authentication
+
+If HTTP Proxy is configured to support SASL, you can provide the SCRAM username and password as part of the Basic Authentication header in your request. For example, to list topics as an authenticated user:
+
+[tabs]
+=====
+curl::
++
+--
+[,bash]
+----
+curl -s -u "<username>:<password>" "<host-address>:8082/topics"
+----
+
+--
+NodeJS::
++
+--
+[,javascript]
+----
+let options = {
+  auth: { username: "<username>", password: "<password>" },
+};
+
+axios
+  .get(`${base_uri}/topics`, options)
+  .then(response => console.log(response.data))
+  .catch(error => console.error(error));
+----
+
+--
+Python::
++
+--
+[,python]
+----
+auth = ("<username>", "<password>")
+res = requests.get(f"{base_uri}/topics", auth=auth).json()
+pretty(res)
+----
+
+--
+=====
+
+=== OIDC Authentication
+
+If HTTP Proxy is configured to support OIDC, you can provide an OIDC token in the Authorization header. For example:
+
+[tabs]
+=====
+curl::
++
+--
+[,bash]
+----
+curl -s -H "Authorization: Bearer <oidc-token>" "<host-address>:8082/topics"
+----
+
+--
+NodeJS::
++
+--
+[,javascript]
+----
+let options = {
+  headers: { Authorization: `Bearer <oidc-token>` },
+};
+
+axios
+  .get(`${base_uri}/topics`, options)
+  .then(response => console.log(response.data))
+  .catch(error => console.error(error));
+----
+
+--
+Python::
++
+--
+[,python]
+----
+headers = {"Authorization": "Bearer <oidc-token>"}
+res = requests.get(f"{base_uri}/topics", headers=headers).json()
+pretty(res)
+----
+
+--
+=====
+
+ifndef::env-cloud[]
+For details about configuring OIDC authentication, see xref:manage:security/authentication.adoc#oidc-http[OIDC Authentication].
+endif::[]
+
+ifndef::env-cloud[]
+== Generate a security report for HTTP Proxy
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a comprehensive security report for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including HTTP Proxy.
+
+include::manage:partial$security-report.adoc[]
+
+endif::[]
+
+
 == Use Swagger with HTTP Proxy
 
 You can use Swagger UI to test and interact with Redpanda HTTP Proxy endpoints.

modules/get-started/pages/release-notes/redpanda.adoc

@@ -41,6 +41,14 @@ Redpanda Schema Registry now supports an import mode that allows you to import e
 Starting with this release, import mode must be used when importing schemas. Read-write mode no longer allows specifying a schema ID and version when registering a schema.
 See xref:manage:schema-reg/schema-reg-api.adoc#set-schema-registry-mode[Use the Schema Registry API] for more information.
 
+== Security report
+
+You can now generate a security report for your Redpanda cluster using the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint. The report provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
+
+== Topic identifiers
+
+Redpanda v25.3 implements topic identifiers using 16 byte UUIDs as proposed in https://cwiki.apache.org/confluence/display/KAFKA/KIP-516%3A+Topic+Identifiers[KIP-516^].
+
 == Deprecations
 
 Several TLSv1.2 and TLSv1.3 cipher suites have been deprecated. See xref:upgrade:deprecated/index.adoc[Deprecated Features].

modules/manage/pages/cluster-maintenance/compaction-settings.adoc

@@ -154,6 +154,8 @@ If obtaining a complete snapshot of the log, including tombstone records, is imp
 
 On the other hand, if more frequent cleanup of tombstones is important for optimizing workloads and space management, consider setting a shorter tombstone retention, for example the typical default of 24 hours (86400000 ms).
 
+Compaction and tombstone removal are coordinated across replicas, preventing inconsistencies and ensuring that deleted records are properly recognized by all readers. As a result, tombstone removal on one replica may be delayed if another replica is stopped or lagging. 
+
 == Compaction policy settings
 
 The various cleanup policy settings rely on proper tuning of a cluster's compaction and retention policy options. The applicable settings are:

modules/manage/pages/schema-reg/schema-reg-api.adoc

@@ -1176,6 +1176,15 @@ The `serialized` format returns the Protobuf schema in its wire binary format in
 - For Protobuf, `serialized` and `ignore_extensions` are valid, but only `serialized` is currently supported; passing `ignore_extensions` returns a 501 Not Implemented error.
 - Cross-schema conditions such as `resolved` with Protobuf or `serialized` with Avro are ignored and the schema is returned in the default format.
 
+ifndef::env-cloud[]
+== Generate a security report for Schema Registry
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a comprehensive security report for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including Schema Registry.
+
+include::manage:partial$security-report.adoc[]
+
+endif::[]
+
 == Suggested reading
 ifndef::env-cloud[]
 * xref:manage:schema-reg/schema-reg-overview.adoc[]

modules/manage/pages/security/index.adoc

@@ -4,5 +4,6 @@
 :page-aliases: security:index.adoc, security:index/index.adoc
 :page-categories: Management, Security
 
+{description}
 
-NOTE: All concepts described in this section are compatible with Kafka and its client libraries and CLIs. This section does not cover ways you can protect your Redpanda cluster externally; for example, through network ACLs or private networks.
+This section does not cover ways you can protect your Redpanda cluster externally; for example, through network ACLs or private networks.

modules/manage/pages/use-admin-api.adoc

@@ -40,7 +40,6 @@ The base URL for all requests to the legacy endpoints is:
 http://<broker-address>:<admin-api-port>/v1/
 ```
 
-// TODO: Update link if necessary when v2 URLs are finalized
 For a full list of available endpoints, see the link:/api/doc/admin/v1/[Admin API Reference]. Select "v1" in the version selector to view legacy endpoints.
 
 ==== Example request

modules/manage/partials/authentication.adoc

@@ -1900,3 +1900,11 @@ redpanda:
       authentication_method: none
 ----
 endif::[]
+
+== Generate security report
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] endpoint to generate a comprehensive security report for your cluster. This endpoint provides detailed information about current TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
+
+To generate a security report for your Redpanda cluster, run:
+
+include::manage:partial$security-report.adoc[]

modules/manage/partials/security-report.adoc

@@ -0,0 +1,92 @@
+.Input
+[source,bash]
+----
+curl 'http://localhost:9644/v1/security/report'
+----
+
+.View output
+[%collapsible]
+====
+[source,bash,role=no-copy]
+----
+{
+  "interfaces": {
+    "kafka": [
+      {
+        "name": "test_kafka_listener",
+        "host": "0.0.0.0",
+        "port": 9092,
+        "advertised_host": "0.0.0.0",
+        "advertised_port": 9092,
+        "tls_enabled": false,
+        "mutual_tls_enabled": false,
+        "authentication_method": "None",
+        "authorization_enabled": false
+      }
+    ],
+    "rpc": {
+      "host": "0.0.0.0",
+      "port": 33145,
+      "advertised_host": "127.0.0.1",
+      "advertised_port": 33145,
+      "tls_enabled": false,
+      "mutual_tls_enabled": false
+    },
+    "admin": [
+      {
+        "name": "test_admin_listener",
+        "host": "0.0.0.0",
+        "port": 9644,
+        "tls_enabled": false,
+        "mutual_tls_enabled": false,
+        "authentication_methods": [],
+        "authorization_enabled": false
+      }
+    ]
+  },
+  "alerts": [
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_TLS",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using TLS. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_AUTHN",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using authentication. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_AUTHZ",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using authorization. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "rpc",
+      "issue": "NO_TLS",
+      "description": "\"rpc\" interface is not using TLS. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "admin",
+      "listener_name": "test_admin_listener",
+      "issue": "NO_TLS",
+      "description": "\"admin\" interface \"test_admin_listener\" is not using TLS. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "admin",
+      "listener_name": "test_admin_listener",
+      "issue": "NO_AUTHZ",
+      "description": "\"admin\" interface \"test_admin_listener\" is not using authorization. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "admin",
+      "listener_name": "test_admin_listener",
+      "issue": "NO_AUTHN",
+      "description": "\"admin\" interface \"test_admin_listener\" is not using authentication. This is insecure and not recommended."
+    }
+  ]
+}
+----
+====