.. _confluentsecurityplugins_schema_registry_security_quickstart: Schema Registry Security Plugin Quick Start =========================================== Installation ------------ The following jar files need to be available in the classpath of the Schema Registry deployment. They can be obtained by following the :ref:`Security Plugin Installation` instructions. * ``confluent-security-plugins-common-.jar`` * ``confluent-schema-registry-security-plugin-.jar`` * ``confluent-licensing-.jar`` After installation, the plugins can be activated by adding the following config in the Schema Registry config file .. sourcecode:: bash schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension ``schema.registry.resource.extension.class`` Fully qualified class name of a valid implementation of the interface SchemaRegistryResourceExtension. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc. * Type: string * Default: "" * Importance: low .. note:: - ``schema.registry.resource.extension.class`` should be configured to enable the plugin - ``ssl.client.auth`` should be set to ``true`` to use SSL auth mechanism - ``schema.registry.inter.instance.protocol`` should be set to ``https``, otherwise all slave to master forwards will fail - The X500 principal from ssl.keystore.location is used for slave to master forwarding. This user requires super user access, so should not be used for general schema registry access. Authentication Mechanisms ------------------------- The authentication mechanism for the incoming requests is determined by the ``confluent.schema .registry.auth.mechanism`` config. The only only supported mechanism at present is `SSL`. You must set the ``ssl.client.auth`` to true in the Schema Registry config to use the SSL mechanism. If not, all requests would be rejected with a HTTP error code of 403. When using `SSL` as the authentication mechanism, the incoming X500 principal from the client is used as the principal for authorizing the Schema Registry requests. The details of how the authorization happens and how it needs to be configured can be found in :ref:`Schema Registry Authorization` Configuration ------------- ``confluent.license`` Confluent will issue a license key to each subscriber. The license key will be a short snippet of text that you can copy and paste. Without the license key, you can use Confluent Security Plugins for a 30-day trial period. If you are a subscriber and don't have a license key, please contact Confluent Support at support@confluent.io. * Type: string * Default: "" * Importance: high ``confluent.schema.registry.authorizer.class`` The implementation used to authorize Schema Registry requests. Needs to be an implementation of the interface SchemaRegistryAuthorizer. * Type: string * Default: "" * Importance: high .. include:: ../includes/configuration.rst ``confluent.topic.acl.super.users`` Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don't involve a subject like read or write compatibility. For example ``admin1;admin2`` would make both admin1 and admin2 as super users. * Type: string * Default: "" * Importance: medium ``confluent.schema.registry.auth.mechanism`` The mechanism used to authenticate Schema Registry requests. The principal from the authentication mechanism is then used to optionally authorize using a configured authorizer. * Type: string * Default: "SSL" * Importance: low