Schema Registry
About the Schema Registry
The Schema Registry provides client applications with the Avro schemas available in a specific tenant.
The Schema Registry is always connected to a single Kafka Broker in the same cluster to allow for clusters to have different tenant/instance isolation patterns.
Enabling authentication
Schema Registry supports two types of authentication
|
Both
|
Enabling Basic authentication
If SASL is enabled, you can enable basic authentication. In this approach each connection to the SSL endpoint must provide a valid username and password. This is disabled by default, but can be activated per cluster.
| See the Deployment page for more information about the different service types, like cluster and instance services. |
Using Axual CLI
Add or modify the following configuration in the Schema Registry config file for the tenant instance.
# Disables Basic auth for cluster cluster1 and enables it for the cluster cluster2. These clusters are defined in this config as well
SR_SLAVE_BASIC_AUTH_ENABLED=cluster1:false,cluster2:true
# Instance-api url
SR_SLAVE_CLIENT_AUTH_SERVICE_URL="https://<hostname>:<port>/credentials/authorize"
# Auth service SSL enabled
SR_SLAVE_CLIENT_AUTH_SERVICE_SECURITY_ENABLED=true
# Auth service keystore location inside the container
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_KEYSTORE="/security/client.keystore.jks"
# Auth service keystore password
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_KEYSTORE_PASSWORD="password"
# Auth service keystore password
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_KEY_PASSWORD="password"
# Auth service truststore location inside the container
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_TRUSTSTORE="/security/client.truststore.jks"
# Auth service truststore password
SR_SLAVE_CLIENT_AUTH_SERVICE_SSL_TRUSTSTORE_PASSWORD="password"|
You need to add Example:
Assuming Schema Registry |
Using Axual Helm Charts
Open the values.yaml for your instance and add the following configuration and update
platform:
instance:
schemaregistry:
security:
slave:
basicAuth:
enabled: false
# Override Instance API URL if it runs outside the K8S cluster
# instanceApiUrlOverride: ""
# SSL config used to interact with Instance API
ssl:
enabled: true
clientKeystore: "/u3+7QAAAAIAAAABAAAAAQAh..."
clientKeyPassword: password
clientKeystorePassword: password
clientTruststore: "/u3+7QAAAAIAAAAFAAAAAgA..."
clientTruststorePassword: password|
You need to add Example: Assuming Schema Registry |
Enabling authentication with a client certificate (Mutual TLS)
The Schema Registry has support for authentication with Mutual TLS. In this approach each connection to the SSL endpoint must provide a client certificate signed by a certificate authority trusted in the instance. This is disabled by default, but can be activated per cluster.
| See the Deployment page for more information about the different service types, like cluster and instance services. |
Using Axual CLI
Add or modify the following configuration in the Schema Registry config file for the tenant instance.
# Disables mTLS for cluster cluster1 and enables it for the cluster cluster2. These clusters are defined in this config as well
SR_SLAVE_SSL_CLIENT_AUTH=cluster1:false,cluster2:true
# If SR_SLAVE_SSL_CLIENT_AUTH is enabled then only this property will be in effect.
# This is use to define SSL authentication NEED or WANT. Possible values true & false.
# If true, means NEED else WANT
SR_SLAVE_SSL_CLIENT_AUTH_NEED=cluster1:false,cluster2:trueTLS Protocols and Cipher Suites
Want to enable other TLS protocol versions and cipher suites?
|
From |
|
If broker is set to use old TLS protocols (like |
If you still want to enable old TLS protocol versions, you can add it by setting a configuration as mentioned below:
Using Axual CLI
Add or modify the following configuration in the Schema Registry config file for the tenant instance.
# Schema Registry Master
# Leave blank to use Jetty’s defaults.
SR_MASTER_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites. By default empty to use Jetty’s defaults.
SR_MASTER_SERVER_SSL_CIPHER_SUITES=
# Protocols enabled for SSL connections to Kafka.
SR_MASTER_CLIENT_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
SR_MASTER_CLIENT_SSL_CIPHER_SUITES=
# Schema Registry Slave
# Leave blank to use Jetty’s defaults.
SR_SLAVE_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites. By default empty to use Jetty’s defaults.
SR_SLAVE_SERVER_SSL_CIPHER_SUITES=
# Protocols enabled for SSL connections to Kafka.
SR_SLAVE_CLIENT_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
SR_SLAVE_CLIENT_SSL_CIPHER_SUITES=Using Axual Helm Charts
Edit the values.yaml for your instance and add the following configuration
platform:
instance:
schemaregistry:
security:
slave:
server:
# Leave blank to use Jetty’s defaults.
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
cipherSuites:
client:
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
cipherSuites:
master:
server:
# Leave blank to use Jetty’s defaults.
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
cipherSuites:
client:
protocols: TLSv1.2,TLSv1.1,TLSv1
# A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
# If not configured, all the available cipher suites are supported.
cipherSuites: