Configuration Reference for Schema Registry Clients on Confluent Platform¶

This section contains configuration options for clients to Schema Registry. You can add these configurations as properties to producer and consumer client configuration files or on the command line for testing.

For examples of these options in use, see Avro, Protobuf, and JSON Schema in Formats, Serializers, and Deserializers for Schema Registry on Confluent Platform.

basic.auth.credentials.source¶

Specify how to pick the credentials for Basic authentication header. The supported values are URL, USER_INFO, and SASL_INHERIT.

Type: string
Default: “STATIC_TOKEN”
Importance: medium

URL - The user information is configured as part of the schema.registry.url configuration in the form of http://<username>:<password>@sr-host:<sr-port>

USER_INFO - The user information is configured using the below configuration.

basic.auth.user.info

Specify the user information for Basic authentication in the form of {username}:{password}.

Type: password
Default: “”
Importance: medium

SASL_INHERIT - Inherit the settings used by the Kafka client to communicate with the broker using SASL SCRAM or SASL PLAIN.

An example of using a credentials file to authenticate a consumer to Schema Registry is in Print schema IDs with command line consumer utilities.

For more examples and details on credentials files on both Confluent Cloud and Confluent Platform, see the Prerequisites sections in each of the “Test Drives” for the different schema formats:

schema.registry.url¶

Comma-separated list of URLs for Schema Registry instances.

Type: list
Default: null
Importance: high

basic.auth.user.info¶

Specifies the user info for basic authentication in the form of user:password.

Type: string
Default: “”
Importance: high

http.connect.timeout.ms¶

Specifies the HTTP connection timeout in milliseconds for the Schema Registry client. The default is 60000 milliseconds (60 seconds).

Type: int
Default: 60000
Valid Values: [0,…]
Importance: low

http.read.timeout.ms¶

Specifies the HTTP read timeout in milliseconds for the Schema Registry client.

Type: int
Default: 60000
Valid Values: [0,…]
Importance: low

bearer.auth.token¶

Specifies the bearer token to be used for authentication.

Type: password
Default: “”
Importance: medium

proxy.host¶

The hostname or address of the proxy server that will be used to connect to Schema Registry instances.

Type: string
Default: “”
Importance: low

proxy.port¶

The port number of the proxy server that will be used to connect to the Schema Registry instances.

Type: int
Default: “-1”
Importance: low

bearer.auth.issuer.endpoint.url¶

The HTTP(S)-based URL for the OAuth/OIDC identity provider which issues access tokens.

Type: string
Default: “null”
Importance: medium

bearer.auth.client.id¶

Client ID used to obtain client credentials grant from OAuth/OIDC identity provider.

Type: string
Default: “null”
Importance: medium

bearer.auth.client.secret¶

The client secret used to obtain client credentials grant from OAuth/OIDC identity provider.

Type: password
Default: “null”
Importance: medium

bearer.auth.scope¶

The access token scope used to obtain client credentials grant from OAuth/OIDC identity provider.

Type: string
Default: “null”
Importance: medium

bearer.auth.scope.claim.name¶

The OAuth claim for the scope is often named “scope”, but this optional setting can provider a different name for the scope included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.

Type: string
Default: “scope”
Importance: low

bearer.auth.sub.claim.name¶

The OAuth claim for the subject is often named “sub”, but this optional setting can provide a different name to use for the subject included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.

Type: string
Default: “sub”
Importance: low

bearer.auth.logical.cluster¶

An additional property that can be added in the request header to identify the logical cluster.

Type: string
Default: “null”
Importance: low

bearer.auth.identity.pool.id¶

Additional property that can be added in the request header to identify the principal ID for authorization.

Type: string
Default: “null”
Importance: medium

bearer.auth.cache.expiry.buffer.seconds¶

The amount of buffer time between expiration times of the OAuth token and corresponding cache which holds the token. Ideally you would want to get a new token before the current one expires. Legal values are between 0 and 3600 (1 hour); a default value of 300 (5 minutes) is used if no value is specified. This value is ignored if it exceeds the remaining lifetime of a token from the moment it is retrieved into Schema Registry.

Type: short
Default: “300”
Valid Values: [0, 3600]
Importance: low

bearer.auth.custom.provider.class¶

Custom class that will provide the token credential. Needs to implement the io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider interface.

Type: string
Default: “null”
Importance: medium

ssl.protocol¶

The SSL protocol used to generate the SSLContext. The default is TLSv1.3 when running with Java 11 or later, or``TLSv1.2`` otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ssl.enabled.protocols, clients will downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration is set to TLSv1.2, clients will not use TLSv1.3 even if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3.

Type: string
Default: “TLSv1”
Importance: medium

ssl.provider¶

The name of the security provider used for SSL connections. Default value is the default security provider of the Java Virtual Machine (JVM).

Type: string
Default: “null”
Importance: medium

ssl.cipher.suites¶

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default, all the available cipher suites are supported.

Type: list
Default: “null”
Importance: low

ssl.enabled.protocols¶

The comma-separated list of protocols enabled for SSL connections. The default value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2 otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3), clients and servers prefer TLSv1.3 if both support it, and fall back to TLSv1.2 otherwise (assuming both support at least TLSv1.2). To learn more, see ssl.protocol.

Type: list
Default: “TLSv1.2, TLSv1.3”
Importance: medium

ssl.keystore.type¶

The file format of the key store file. This is optional for client. The values currently supported by the default ssl.engine.factory.class are [JKS, PKCS12, PEM].

Type: string
Default: “JKS”
Importance: medium

ssl.keystore.key¶

Private key in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with PKCS#8 keys. If the key is encrypted, the key password must be specified using ssl.key.password.

ssl.keystore.certificate.chain¶

Certificate chain in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with a list of X.509 certificates

Type: password
Default: “null”
Importance: high

ssl.truststore.certificates¶

Trusted certificates in the format specified by ssl.truststore.type. Default SSL engine factory supports only PEM format with X.509 certificates.

Type: password
Default: “null”
Importance: high

ssl.keystore.location¶

The location of the key store file. This is optional for client and can be used for two-way authentication for client.

Type: string
Default: “null”
Importance: high

ssl.keystore.password¶

The store password for the key store file. This is optional for client and only needed if ssl.keystore.location is configured. Key store password is not supported for PEM format.

Type: password
Default: “null”
Importance: high

ssl.key.password¶

The password of the private key in the key store file or the PEM key specified in ssl.keystore.key.

Type: password
Default: “”
Importance: high

ssl.truststore.type¶

The file format of the trust store file. The values currently supported by the default ssl.engine.factory.class are [JKS, PKCS12, PEM].

Type: string
Default: “JKS”
Importance: medium

ssl.truststore.location¶

The location of the trust store file.

Type: string
Default: “null”
Importance: high

ssl.truststore.password¶

The password for the trust store file. If a password is not set, trust store file configured will still be used, but integrity checking is disabled. Trust store password is not supported for PEM format.

Type: password
Default: “null”
Importance: high

ssl.keymanager.algorithm¶

The algorithm used by key manager factory for SSL connections. The default value is the key manager factory algorithm configured for the JVM.

Type: string
Default: The trust manager factory algorithm configured for the Java Virtual Machine.
Importance: low

ssl.trustmanager.algorithm¶

The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the JVM.

Type: string
Default: The trust manager factory algorithm configured for the Java Virtual Machine.
Importance: low

ssl.endpoint.identification.algorithm¶

The endpoint identification algorithm to validate server hostname using server certificate.

Type: string
Default: “HTTPS”
Importance: low

ssl.secure.random.implementation¶

The SecureRandom PRNG implementation to use for SSL cryptography operations.

Type: string
Default: “null”
Importance: low

ssl.engine.factory.class¶

The class of type org.apache.kafka.common.security.auth.SslEngineFactory to provide SSLEngine objects. The default value is org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.

Type: class
Default: “null”
Importance: low