Schema Registry

About the Schema Registry

The Schema Registry provides client applications with the Avro schemas available in a specific tenant.

The Schema Registry is always connected to a single Kafka Broker in the same cluster to allow for clusters to have different tenant/instance isolation patterns.

Enabling authentication

Schema Registry supports two types of authentication

Basic authentication
Mutual TLS

Both Basic and Mutual TLS authentication can be enabled at the same time. Below are the scenarios how clients will be authenticated if both options are enabled.

If mTLS is enabled and set to NEED, client will be authenticated using mTLS only.
If mTLS is enabled and set to WANT and during connection to Schema Registry client provides the certificates, then client will be authenticated using mTLS.
If mTLS is set to WANT and during connection to Schema Registry client don’t provide certificates, then client will be authenticated using Basic authentication.

Enabling Basic authentication

If SASL is enabled, you can enable basic authentication. In this approach each connection to the SSL endpoint must provide a valid username and password. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Using Axual CLI

Add or modify the following configuration in the Schema Registry config file for the tenant instance.

platform-config/tenants/{tenant-name}/instances/{instance-name}/schema-registry.sh

# Disables Basic auth for cluster cluster1 and enables it for the cluster cluster2. These clusters are defined in this config as well
SR_SLAVE_BASIC_AUTH_ENABLED=cluster1:false,cluster2:true

# Instance-api url
SR_SLAVE_CLIENT_AUTH_SERVICE_URL="https://<hostname>:<port>/credentials/authorize"
# Auth service SSL enabled
SR_SLAVE_CLIENT_AUTH_SERVICE_SECURITY_ENABLED=true
# Auth service keystore location inside the container
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_KEYSTORE="/security/client.keystore.jks"
# Auth service keystore password
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_KEYSTORE_PASSWORD="password"
# Auth service keystore password
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_KEY_PASSWORD="password"
# Auth service truststore location inside the container
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_TRUSTSTORE="/security/client.truststore.jks"
# Auth service truststore password
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_TRUSTSTORE_PASSWORD="password"

You need to add Schema Registry client certificate CN to Instance-API config INSTANCE_API_AUTHORIZED_CNS so that Schema Registry can access Instance-API for authentication.

Example: Assuming Schema Registry CN is Axual Local Schema Registry Client

INSTANCE_API_AUTHORIZED_CNS="'Interservice Client, Axual Local Discovery API Client, Axual Local Schema Registry Client'"

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
    instance:
      schemaregistry:
        security:
          slave:
            basicAuth:
              enabled: false
              # Override Instance API URL if it runs outside the K8S cluster
              # instanceApiUrlOverride: ""

              # SSL config used to interact with Instance API
              ssl:
                enabled: true
                clientKeystore: "/u3+7QAAAAIAAAABAAAAAQAh..."
                clientKeyPassword: password
                clientKeystorePassword: password
                clientTruststore: "/u3+7QAAAAIAAAAFAAAAAgA..."
                clientTruststorePassword: password

You need to add Schema Registry client certificate CN to Instance-API config security.authorizedDns so that Schema Registry can access Instance-API for authentication.

Example: Assuming Schema Registry CN is Axual Local Schema Registry Client

platform:
  instance:
    instanceapi:
      security:
        enabled: true
        authorizedDns: "Interservice Client, Axual Local Discovery API Client, Axual Local Schema Registry Client"

Enabling authentication with a client certificate (Mutual TLS)

The Schema Registry has support for authentication with Mutual TLS. In this approach each connection to the SSL endpoint must provide a client certificate signed by a certificate authority trusted in the instance. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Using Axual CLI

Add or modify the following configuration in the Schema Registry config file for the tenant instance.

platform-config/tenants/{tenant-name}/instances/{instance-name}/schema-registry.sh

# Disables mTLS for cluster cluster1 and enables it for the cluster cluster2. These clusters are defined in this config as well
SR_SLAVE_SSL_CLIENT_AUTH=cluster1:false,cluster2:true
# If SR_SLAVE_SSL_CLIENT_AUTH is enabled then only this property will be in effect.
# This is use to define SSL authentication NEED or WANT. Possible values true & false.
# If true, means NEED else WANT
SR_SLAVE_SSL_CLIENT_AUTH_NEED=cluster1:false,cluster2:true

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
    instance:
      schemaregistry:
        tls:
          slave:
            clientAuth: true
            clientAuthNeed: true

TLS Protocols and Cipher Suites

Want to enable other TLS protocol versions and cipher suites?

From 2021.3, Schema Registry master and slave only accept TLSv1.2 connections by default.
TLSv1.0 and TLSv1.1 are deprecated due to known security vulnerabilities.

If broker is set to use old TLS protocols (like TLSv1 or TLSv1.1) and not TLSv1.2 the Schema Registry connection will fail.
In this case, make sure config SR_MASTER_CLIENT_SSL_PROTOCOLS and SR_SLAVE_CLIENT_SSL_PROTOCOLS (that is used to make connection to brokers) is enabled with broker supported protocol version.

If you still want to enable old TLS protocol versions, you can add it by setting a configuration as mentioned below:

Using Axual CLI

Add or modify the following configuration in the Schema Registry config file for the tenant instance.

platform-config/tenants/{tenant-name}/instances/{instance-name}/schema-registry.sh

# Schema Registry Master
# Leave blank to use Jetty’s defaults.
SR_MASTER_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites. By default empty to use Jetty’s defaults.
SR_MASTER_SERVER_SSL_CIPHER_SUITES=
# Protocols enabled for SSL connections to Kafka.
SR_MASTER_CLIENT_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
SR_MASTER_CLIENT_SSL_CIPHER_SUITES=

# Schema Registry Slave
# Leave blank to use Jetty’s defaults.
SR_SLAVE_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites. By default empty to use Jetty’s defaults.
SR_SLAVE_SERVER_SSL_CIPHER_SUITES=
# Protocols enabled for SSL connections to Kafka.
SR_SLAVE_CLIENT_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
SR_SLAVE_CLIENT_SSL_CIPHER_SUITES=

Using Axual Helm Charts

Edit the values.yaml for your instance and add the following configuration

platform:
    instance:
      schemaregistry:
        security:
          slave:
            server:
              # Leave blank to use Jetty’s defaults.
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
              cipherSuites:
            client:
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
              # If not configured, all the available cipher suites are supported.
              cipherSuites:
          master:
            server:
              # Leave blank to use Jetty’s defaults.
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
              cipherSuites:
            client:
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
              # If not configured, all the available cipher suites are supported.
              cipherSuites: