.. _confluentsecurityplugins_schema_registry_security_quickstart: Install and Configure the |sr| Security Plugin for |cp| ======================================================= The Confluent security plugins are an extension to |cp| components. The security plugins are installed by default if you are using ZIP and TAR archives, but must be installed manually if you are using DEB or RPM packages. The following JAR files must be available in the classpath of the |sr| deployment. The default location for the |sr| Security Plugins is: .. codewithvars:: bash CONFLUENT_HOME/share/java/confluent-security/schema-registry/confluent-security-plugins-common-.jar CONFLUENT_HOME/share/java/confluent-security/schema-registry/confluent-schema-registry-security-plugin-.jar This page explains how to install, activate, and configure these plugins. .. important:: This software is available under a `Confluent enterprise license `__. You can use this software for a 30-day trial period without a license key. If you are a subscriber, contact Confluent Support at support@confluent.io for more information. .. _sr_security_plugin_activate: Activate the Plugins -------------------- After installation, you can activate the plugins by adding the following to the |sr| config file (``/etc/schema-registry/schema-registry.properties``). .. codewithvars:: bash resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension ------------------------ resource.extension.class ------------------------ Fully qualified class name of a valid implementation of the ``SchemaRegistryResourceExtension`` interface. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc. (Use ``resource.extension.class`` instead of deprecated ``schema.registry.resource.extension.class``.) * Type: string * Default: "" * Importance: low .. note:: - ``resource.extension.class`` should be configured to enable the plugin. - ``ssl.client.authentication`` should be set to ``REQUESTED`` or ``REQUIRED`` to use a TLS authentication mechanism. See also :ref:`schemaregistry_config`. - ``inter.instance.protocol`` should be used set to ``https``, otherwise all secondary to primary forwards will fail. See also :ref:`sr-https-additional` in the |sr| Security Overview. (``schema.registry.inter.instance.protocol`` is deprecated; use ``inter.instance.protocol`` instead.) - The X500 principal from ssl.keystore.location is used for secondary to primary forwarding. This user requires super user access, so should not be used for general |sr| access. .. _sr_security_plugin_authentication_mechanisms: Authentication Mechanisms ------------------------- The authentication mechanism for incoming requests to |sr| is determined by the ``confluent.schema.registry.auth.mechanism`` config. Both TLS and `Jetty `_ authentication mechanisms are supported. When using :ref:`Role Based Access Control` (|rbac|), |sr| expects HTTP Basic Auth (or token) credentials provided by the |sr| client for RBAC authorization. If you relied on TLS certificate authentication across |cp| before enabling and configuring RBAC, be aware that you must also provide Basic Auth credentials (such as LDAP user) for |cp| components other than |ak|. More specifically, for |sr|, you must specify the bearer token for :ref:`http-basic-auth` and must include ``basic.auth.user.info`` and ``basic.auth.credentials.source``. For details about which authentication methods to use when using RBAC, refer to :ref:`rbac-authentication-options`. Here is an example properties file for |sr| using mTLS authentication and |rbac|. .. code:: properties listeners=https://sr:8081 kafkastore.connection.url=node1:2181,node2:2181,node3:2181 kafkastore.bootstrap.servers=SSL://node1:9095,SSL://node2:9095,SSL://node2:9095 kafkastore.topic=_schemas debug=true schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer confluent.schema.registry.auth.mechanism=SSL kafkastore.bootstrap.servers=node1:9093,node2:9093,node3:9093 kafkastore.security.protocol=SASL_PLAINTEXT kafkastore.topic=_schemas kafkastore.sasl.mechanism=OAUTHBEARER kafkastore.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler kafkastore.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ username="kafka" \ password="secret" \ metadataServerUrls="http://node1:8090"; confluent.metadata.basic.auth.user.info=kafka:secret confluent.metadata.bootstrap.server.urls=http://node1:8090 confluent.metadata.http.auth.credentials.provider=BASIC public.key.path=/opt/cp/current/certs/public.pem confluent.schema.registry.auth.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/$1/L,DEFAULT ssl.client.authentication=REQUIRED ssl.client.auth=true ssl.keystore.location=/opt/cp/current/certs/sr.jks ssl.keystore.password=secret ssl.key.password=secret ssl.truststore.location=/opt/cp/current/certs/truststore.jks ssl.truststore.password=secret inter.instance.protocol=https kafkastore.ssl.endpoint.identification.algorithm= ssl.endpoint.identification.algorithm= rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler If the authentication mechanism is not set, all requests are rejected with a HTTP error code of 403. See :ref:`Schema Registry Authorization` for details on how this authorization happens and how to configure it. .. include:: ../../includes/client-license.rst .. _sr_security_plugin_configs: Configuration ------------- .. include:: ../../includes/license-ref.rst ----------------- confluent.license ----------------- Confluent will issue a license key to each subscriber. The license key will be a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don't have a license key, contact Confluent Support at support@confluent.io. * Type: string * Default: "" * Importance: high ------------------------------------------ confluent.schema.registry.authorizer.class ------------------------------------------ The implementation used to authorize |sr| requests. Needs to be an implementation of the interface SchemaRegistryAuthorizer. * Type: string * Default: "" * Importance: high .. include:: ../includes/configuration.rst :start-line: 2 :end-line: 10 ------------------------------- confluent.topic.acl.super.users ------------------------------- Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don't involve a subject like read or write compatibility. For example ``admin1;admin2`` would make both admin1 and admin2 as super users. * Type: string * Default: "" * Importance: medium ---------------------------------------- confluent.schema.registry.auth.mechanism ---------------------------------------- The mechanism used to authenticate |sr| requests. The principal from the authentication mechanism is then used to optionally authorize using a configured authorizer. * Type: string * Default: "SSL" * Importance: low ---------------------------------------------------------- confluent.schema.registry.auth.ssl.principal.mapping.rules ---------------------------------------------------------- Used for HTTPS. A list of rules for mapping distinguished name (DN) from the client certificate to short name. The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name. Any later rules in the list are ignored. By default, DN of the X.500 certificate is the principal. For details see :ref:`kafka-rest-security-propagation-ssl-sasl`. * Type: list * Default: "DEFAULT" * Importance: low Suggested Reading ----------------- - :ref:`confluentsecurityplugins_schema_registry_authorization` - :ref:`schemaregistry_rbac` - :ref:`confluentsecurityplugins_sracl_authorizer` - :ref:`confluentsecurityplugins_topicacl_authorizer` - :ref:`schemaregistry_config`