Schema Registry

About the Schema Registry

The Schema Registry provides client applications with the Avro schemas available in a specific tenant.

The Schema Registry is always connected to a single Kafka Broker in the same cluster to allow for clusters to have different tenant/instance isolation patterns.

Enabling authentication

Schema Registry supports two types of authentication

Basic authentication
Mutual TLS

Both Basic and Mutual TLS authentication can be enabled at the same time. Below are the scenarios how clients will be authenticated if both options are enabled.

If mTLS is enabled and set to NEED, client will be authenticated using mTLS only.
If mTLS is enabled and set to WANT and during connection to Schema Registry client provides the certificates, then client will be authenticated using mTLS.
If mTLS is set to WANT and during connection to Schema Registry client don’t provide certificates, then client will be authenticated using Basic authentication.

Enabling Basic authentication

If SASL is enabled, you can enable basic authentication. In this approach each connection to the SSL endpoint must provide a valid username and password. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
    instance:
      schemaregistry:
        security:
          slave:
            basicAuth:
              enabled: false
              # Override Instance API URL if it runs outside the K8S cluster
              # instanceApiUrlOverride: ""

              # SSL config used to interact with Instance API
              ssl:
                enabled: true
                clientKeystore: "/u3+7QAAAAIAAAABAAAAAQAh..."
                clientKeyPassword: password
                clientKeystorePassword: password
                clientTruststore: "/u3+7QAAAAIAAAAFAAAAAgA..."
                clientTruststorePassword: password

You need to add Schema Registry client certificate CN to Instance-API config security.authorizedDns so that Schema Registry can access Instance-API for authentication.

Example: Assuming Schema Registry CN is Axual Local Schema Registry Client

platform:
  instance:
    instanceapi:
      security:
        enabled: true
        authorizedDns: "Interservice Client, Axual Local Discovery API Client, Axual Local Schema Registry Client"

Enabling authentication with a client certificate (Mutual TLS)

The Schema Registry has support for authentication with Mutual TLS. In this approach each connection to the SSL endpoint must provide a client certificate signed by a certificate authority trusted in the instance. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
    instance:
      schemaregistry:
        tls:
          slave:
            clientAuth: true
            clientAuthNeed: true

TLS Protocols and Cipher Suites

Want to enable other TLS protocol versions and cipher suites?

From 2021.3, Schema Registry master and slave only accept TLSv1.2 connections by default.
TLSv1.0 and TLSv1.1 are deprecated due to known security vulnerabilities.

If broker is set to use old TLS protocols (like TLSv1 or TLSv1.1) and not TLSv1.2 the Schema Registry connection will fail.
In this case, make sure config SR_MASTER_CLIENT_SSL_PROTOCOLS and SR_SLAVE_CLIENT_SSL_PROTOCOLS (that is used to make connection to brokers) is enabled with broker supported protocol version.

If you still want to enable old TLS protocol versions, you can add it by setting a configuration as mentioned below:

Using Axual Helm Charts

Edit the values.yaml for your instance and add the following configuration

platform:
    instance:
      schemaregistry:
        security:
          slave:
            server:
              # Leave blank to use Jetty’s defaults.
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
              cipherSuites:
            client:
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
              # If not configured, all the available cipher suites are supported.
              cipherSuites:
          master:
            server:
              # Leave blank to use Jetty’s defaults.
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites. Leave blank to use Jetty’s defaults.
              cipherSuites:
            client:
              protocols: TLSv1.2,TLSv1.1,TLSv1
              # A comma-separated list of SSL cipher suites enabled for SSL connections to Kafka
              # If not configured, all the available cipher suites are supported.
              cipherSuites: