Important
You are viewing documentation for an older version of Confluent Platform. For the latest, click here.
Install and Configure the Schema Registry Security Plugin¶
Install¶
Important
This software is available under a Confluent enterprise license. You can use this software for a 30-day trial period without a license key. If you are a subscriber, please contact Confluent Support at support@confluent.io for more information.
The Confluent security plugins are an extension to Confluent Platform components. The security plugins are installed by default if your using ZIP and TAR archives, but must be installed manually if you are using DEB or RPM packages.
The following JAR files must be available in the classpath of the Schema Registry deployment. The default location for the Schema Registry Security Plugins is:
<path-to-confluent>/share/java/schema-registry/confluent-security-plugins-common-<version>.jar
<path-to-confluent>/share/java/schema-registry/confluent-schema-registry-security-plugin-<version>.jar
<path-to-confluent>/share/java/schema-registry/confluent-licensing-<version>.jar
ZIP and TAR Archives¶
If you installed Confluent Platform by using ZIP or TAR archives, the security plugins are installed by
default and are located in <path-to-confluent>/share/java/
in the individual component directories.
Ubuntu and Debian¶
If you installed Confluent Platform in a Ubuntu or Debian environment, you must install the plugins separately with this command:
sudo apt-get update && sudo apt-get install confluent-security
RHEL and CentOS¶
If you installed Confluent Platform in a RHEL, CentOS, or Fedora-based environment, you must install the plugins separately with this command:
sudo yum install confluent-security
Activate the Plugins¶
After installation, the plugins can be activated by adding the following to the Schema Registry config file (e.g.
/etc/schema-registry/schema-registry.properties
)
schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension
schema.registry.resource.extension.class
Fully qualified class name of a valid implementation of the interface SchemaRegistryResourceExtension. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc.
- Type: string
- Default: “”
- Importance: low
Note
schema.registry.resource.extension.class
should be configured to enable the pluginssl.client.auth
should be set totrue
to use SSL auth mechanismschema.registry.inter.instance.protocol
should be set tohttps
, otherwise all slave to master forwards will fail- The X500 principal from ssl.keystore.location is used for slave to master forwarding. This user requires super user access, so should not be used for general Schema Registry access.
Authentication Mechanisms¶
The authentication mechanism for the incoming requests is determined by the confluent.schema.registry.auth.mechanism
config. The only supported mechanism at present is SSL. You must
set the ssl.client.auth
to true in the Schema Registry config to use the SSL mechanism.
If not, all requests would be rejected with a HTTP error code of 403.
When using SSL as the authentication mechanism, the incoming X500 principal from the client is used as the principal for authorizing the Schema Registry requests. The details of how the authorization happens and how it needs to be configured can be found in Schema Registry Authorization
Configuration¶
confluent.license
Confluent will issue a license key to each subscriber. The license key will be a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, please contact Confluent Support at support@confluent.io.
- Type: string
- Default: “”
- Importance: high
confluent.schema.registry.authorizer.class
The implementation used to authorize Schema Registry requests. Needs to be an implementation of the interface SchemaRegistryAuthorizer.
- Type: string
- Default: “”
- Importance: high
confluent.schema.registry.acl.topic
The topic used to store ACLs for the Schema Registry operations. This is optional. If this configuration is used, the topic name is derived as
kafkastore.topic
and is suffixed with_acl
.- Type: string
- Default: “”
- Importance: medium
confluent.topic.acl.super.users
Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don’t involve a subject like read or write compatibility. For example
admin1;admin2
would make both admin1 and admin2 as super users.- Type: string
- Default: “”
- Importance: medium
confluent.schema.registry.auth.mechanism
The mechanism used to authenticate Schema Registry requests. The principal from the authentication mechanism is then used to optionally authorize using a configured authorizer.
- Type: string
- Default: “SSL”
- Importance: low