.. _confluentsecurityplugins_schema_registry_security_quickstart: Install and Configure the |sr| Security Plugin ============================================== .. include:: ../includes/install.rst :end-before: end-default-location The following JAR files must be available in the classpath of the |sr| deployment. The default location for the |sr| Security Plugins is: .. codewithvars:: bash /share/java/confluent-security/schema-registry/confluent-security-plugins-common-.jar /share/java/confluent-security/schema-registry/confluent-schema-registry-security-plugin-.jar .. include:: ../includes/install.rst :start-after: end-default-location .. _sr_security_plugin_activate: Activate the Plugins -------------------- After installation, you can activate the plugins by adding the following to the |sr| config file (``/etc/schema-registry/schema-registry.properties``). .. codewithvars:: bash resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension ------------------------ resource.extension.class ------------------------ Fully qualified class name of a valid implementation of the ``SchemaRegistryResourceExtension`` interface. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc. (Use ``resource.extension.class`` instead of deprecated ``schema.registry.resource.extension.class``.) * Type: string * Default: "" * Importance: low .. note:: - ``resource.extension.class`` should be configured to enable the plugin - ``ssl.client.auth`` should be set to ``true`` to use SSL auth mechanism - ``inter.instance.protocol`` should be used set to ``https``, otherwise all secondary to primary forwards will fail. See also :ref:`sr-https-additional` in the |sr| Security Overview. (``schema.registry.inter.instance.protocol`` is deprecated; use ``inter.instance.protocol`` instead.) - The X500 principal from ssl.keystore.location is used for secondary to primary forwarding. This user requires super user access, so should not be used for general |sr| access. .. _sr_security_plugin_authentication_mechanisms: Authentication Mechanisms ------------------------- The authentication mechanism for incoming requests to |sr| is determined by the ``confluent.schema.registry.auth.mechanism`` config. Both SSL and `Jetty `_ authentication mechanisms are supported. For :ref:`Role Based Access Control`, use Jetty as the authentication mechanism by setting the following in the |sr| config: ``confluent.schema.registry.auth.mechanism=JETTY_AUTH`` To use the SSL mechanism for authentication, set the ``ssl.client.auth`` to true in the |sr| config. For the SSL authentication mechanism, the incoming X500 principal from the client is used as the principal for authorizing the |sr| requests. If the authentication mechanism is not set, all requests are rejected with a HTTP error code of 403. See :ref:`Schema Registry Authorization` for details on how this authorization happens and how to configure it. .. _sr_security_plugin_configs: Configuration ------------- ----------------- confluent.license ----------------- Confluent will issue a license key to each subscriber. The license key will be a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don't have a license key, please contact Confluent Support at support@confluent.io. * Type: string * Default: "" * Importance: high ------------------------------------------ confluent.schema.registry.authorizer.class ------------------------------------------ The implementation used to authorize |sr| requests. Needs to be an implementation of the interface SchemaRegistryAuthorizer. * Type: string * Default: "" * Importance: high .. include:: ../includes/configuration.rst :start-line: 2 :end-line: 10 ------------------------------- confluent.topic.acl.super.users ------------------------------- Semicolon separated list of users who can be super users. One needs to be a super user to perform all global operations that don't involve a subject like read or write compatibility. For example ``admin1;admin2`` would make both admin1 and admin2 as super users. * Type: string * Default: "" * Importance: medium ---------------------------------------- confluent.schema.registry.auth.mechanism ---------------------------------------- The mechanism used to authenticate |sr| requests. The principal from the authentication mechanism is then used to optionally authorize using a configured authorizer. * Type: string * Default: "SSL" * Importance: low ---------------------------------------------------------- confluent.schema.registry.auth.ssl.principal.mapping.rules ---------------------------------------------------------- Used for HTTPS. A list of rules for mapping distinguished name (DN) from the client certificate to short name. The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name. Any later rules in the list are ignored. By default, DN of the X.500 certificate is the principal. For details see :ref:`kafkarest_config_ssl_user_name`. * Type: list * Default: "DEFAULT" * Importance: low Suggested Reading ----------------- - :ref:`confluentsecurityplugins_schema_registry_authorization` - :ref:`schemaregistry_rbac` - :ref:`confluentsecurityplugins_sracl_authorizer` - :ref:`confluentsecurityplugins_topicacl_authorizer` - :ref:`schemaregistry_config`