Manage Security for Confluent Cloud Schema Registry and Stream Catalog¶
Various levels and types of security configurations are available and/or required to work with Schema Registry in the Confluent Cloud environment. These are summarized below, with links out to the detail sections for each.
API keys for Schema Registry on Confluent Cloud¶
Confluent Cloud supports one Schema Registry per environment. To work with schemas on Confluent Cloud, you need an API key specific to Schema Registry. This is is distinct from the API key used to create Kafka clusters in the same Confluent Cloud environment. Confluent Cloud uses the Schema Registry API keys to store schemas and route requests to the appropriate logical clusters.
Creating and working with API keys for Schema Registry is described in Quick Start for Schema Management on Confluent Cloud in Create an API Key for Confluent Cloud Schema Registry.
Additionally, the following sections provide more general information on managing access in Confluent Cloud:
RBAC for Schema Registry and Stream Catalog¶
Confluent Cloud Schema Registry and Stream Catalog support Role-Based Access Control (RBAC), which enables you to configure and manage access control to subjects and topics:
- RBAC for Schema Registry is described in Access control (RBAC) for Confluent Cloud Schema Registry.
- RBAC for Stream Catalog is described in Access control (RBAC) for Stream Catalog.
Use OAuth to authenticate clients to Schema Registry¶
The Schema Registry Java client module includes support for the OpenID Connect (OIDC) authentication protocol and OAuth 2.0. This enables these Java clients to use token credentials to authenticate with Confluent Cloud Schema Registry. You have the option of using a standard OAuth bearer token with a public OIDC server or a custom token provider paired with your own implementation.
For details on support for OAuth in the Schema Registry Java client and how to configure your clients, see Configure Schema Registry clients for OAuth.