Configuration Reference for Schema Registry Clients on Confluent Platform
This section contains configuration options for clients to Schema Registry. You can add these configurations as properties to producer and consumer client configuration files or on the command line for testing.
For examples of these options in use, see Avro, Protobuf, and JSON Schema in Formats, Serializers, and Deserializers for Schema Registry on Confluent Platform.
schema.registry.url
Comma-separated list of URLs for Schema Registry instances.
Type: list
Default: null
Importance: high
max.retries
Maximum number of client retries.
Type: int
Default: 3
Valid Values: [0,…]
Importance: low
Tip
On Confluent Platform, the first versions with this functionality are 7.4.9, 7.5.8, 7.6.5, 7.7.3, 7.8.2, and 7.9.0. Post 7.9.0, this feature is included.
retries.wait.ms
Initial time in milliseconds the Schema Registry client will wait before the first retry. The default is 1000 milliseconds (10 seconds).
Type: int
Default: 1000
Valid Values: [0,…]
Importance: low
Tip
On Confluent Platform, the first versions with this functionality are 7.4.9, 7.5.8, 7.6.5, 7.7.3, 7.8.2, and 7.9.0. Post 7.9.0, this feature is included.
retries.max.wait.ms
Maximum time in milliseconds the Schema Registry client will wait before any retry. The default is 2000 milliseconds (20 seconds).
Type: int
Default: 2000
Valid Values: [0,…]
Importance: low
Tip
On Confluent Platform, the first versions with this functionality are 7.4.9, 7.5.8, 7.6.5, 7.7.3, 7.8.2, and 7.9.0. Post 7.9.0, this feature is included.
schema.registry.url.randomize
Whether to randomize the starting index of the Schema Registry URL list. This can help with load balancing if many Schema Registry clients are using a shared configuration with more than one server URL.
Type: boolean
Default: false
Importance: low
Tip
On Confluent Platform, the first versions with this functionality are 7.7.4, 7.8.3, and 7.9.1. Post 7.9.1, this functionality is included.
basic.auth.credentials.source
Specify how to pick the credentials for Basic authentication header. The supported values are URL, USER_INFO, and SASL_INHERIT.
Type: string
Default: “STATIC_TOKEN”
Importance: medium
URL - The user information is configured as part of the schema.registry.url configuration in the
form of http://<username>:<password>@sr-host:<sr-port>
USER_INFO - The user information is configured using the below configuration.
basic.auth.user.info
Specify the user information for Basic authentication in the form of {username}:{password}.
Type: password
Default: “”
Importance: medium
SASL_INHERIT - Inherit the settings used by the Kafka client to communicate with the broker using SASL SCRAM or SASL PLAIN.
An example of using a credentials file to authenticate a consumer to Schema Registry is in Print schema IDs with command line consumer utilities.
For more examples and details on credentials files on both Confluent Cloud and Confluent Platform, see the Prerequisites sections in each of the “Test Drives” for the different schema formats:
basic.auth.user.info
Specifies the user info for basic authentication in the form of user:password.
Type: string
Default: “”
Importance: high
http.connect.timeout.ms
Specifies the HTTP connection timeout in milliseconds for the Schema Registry client. The default is 60000 milliseconds (60 seconds).
Type: int
Default: 60000
Valid Values: [0,…]
Importance: low
http.read.timeout.ms
Specifies the HTTP read timeout in milliseconds for the Schema Registry client.
Type: int
Default: 60000
Valid Values: [0,…]
Importance: low
bearer.auth.token
Specifies the bearer token to be used for authentication.
Type: password
Default: “”
Importance: medium
proxy.host
The hostname or address of the proxy server that will be used to connect to Schema Registry instances.
Type: string
Default: “”
Importance: low
proxy.port
The port number of the proxy server that will be used to connect to the Schema Registry instances.
Type: int
Default: “-1”
Importance: low
bearer.auth.credentials.source
Specifies how to pick the credentials for bearer authentication.
Type: string
Default: “OAUTHBEARER”
Importance: medium
bearer.auth.issuer.endpoint.url
The HTTP(S)-based URL for the OAuth/OIDC identity provider which issues access tokens.
Type: string
Default: “null”
Importance: medium
bearer.auth.client.id
Client ID used to obtain client credentials grant from OAuth/OIDC identity provider.
Type: string
Default: “null”
Importance: medium
bearer.auth.client.secret
The client secret used to obtain client credentials grant from OAuth/OIDC identity provider.
Type: password
Default: “null”
Importance: medium
bearer.auth.scope
The access token scope used to obtain client credentials grant from OAuth/OIDC identity provider.
Type: string
Default: “null”
Importance: medium
bearer.auth.scope.claim.name
The OAuth claim for the scope is often named “scope”, but this optional setting can provider a different name for the scope included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.
Type: string
Default: “scope”
Importance: low
bearer.auth.sub.claim.name
The OAuth claim for the subject is often named “sub”, but this optional setting can provide a different name to use for the subject included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.
Type: string
Default: “sub”
Importance: low
bearer.auth.logical.cluster
An additional property that can be added in the request header to identify the logical cluster.
Type: string
Default: “null”
Importance: low
bearer.auth.identity.pool.id
Additional property that can be added in the request header to identify the principal ID for authorization.
Type: string
Default: “null”
Importance: medium
bearer.auth.cache.expiry.buffer.seconds
The amount of buffer time between expiration times of the OAuth token and corresponding cache which holds the token. Ideally you would want to get a new token before the current one expires. Legal values are between 0 and 3600 (1 hour); a default value of 300 (5 minutes) is used if no value is specified. This value is ignored if it exceeds the remaining lifetime of a token from the moment it is retrieved into Schema Registry.
Type: short
Default: “300”
Valid Values: [0, 3600]
Importance: low
bearer.auth.custom.provider.class
Custom class that will provide the token credential. Needs to implement the io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider interface.
Type: string
Default: “null”
Importance: medium
ssl.protocol
The SSL protocol used to generate the SSLContext. The default is TLSv1.3 when
running with Java 11 or later, or``TLSv1.2`` otherwise. This value should be fine
for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3.
TLS, TLSv1.1, SSL, SSLv2 and SSLv3 may be supported in older JVMs, but
their usage is discouraged due to known security vulnerabilities. With the
default value for this configuration and ssl.enabled.protocols, clients will
downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration
is set to TLSv1.2, clients will not use TLSv1.3 even if it is one of the
values in ssl.enabled.protocols and the server only supports TLSv1.3.
Type: string
Default: “TLSv1”
Importance: medium
ssl.provider
The name of the security provider used for SSL connections. Default value is the default security provider of the Java Virtual Machine (JVM).
Type: string
Default: “null”
Importance: medium
ssl.cipher.suites
A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default, all the available cipher suites are supported.
Type: list
Default: “null”
Importance: low
ssl.enabled.protocols
The comma-separated list of protocols enabled for SSL connections. The default
value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2
otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3),
clients and servers prefer TLSv1.3 if both support it, and fall back to
TLSv1.2 otherwise (assuming both support at least TLSv1.2).
To learn more, see ssl.protocol.
Type: list
Default: “TLSv1.2, TLSv1.3”
Importance: medium
ssl.keystore.type
The file format of the key store file. This is optional for client. The values currently supported by the default ssl.engine.factory.class are [JKS, PKCS12, PEM].
Type: string
Default: “JKS”
Importance: medium
ssl.keystore.key
Private key in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with PKCS#8 keys. If the key is encrypted, the key password must be specified using ssl.key.password.
ssl.keystore.certificate.chain
Certificate chain in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with a list of X.509 certificates
Type: password
Default: “null”
Importance: high
ssl.truststore.certificates
Trusted certificates in the format specified by ssl.truststore.type. Default SSL engine factory supports only PEM format with X.509 certificates.
Type: password
Default: “null”
Importance: high
ssl.keystore.location
The location of the key store file. This is optional for client and can be used for two-way authentication for client.
Type: string
Default: “null”
Importance: high
ssl.keystore.password
The store password for the key store file. This is optional for client and only needed if ssl.keystore.location is configured. Key store password is not supported for PEM format.
Type: password
Default: “null”
Importance: high
ssl.key.password
The password of the private key in the key store file or the PEM key specified in ssl.keystore.key.
Type: password
Default: “”
Importance: high
ssl.truststore.type
The file format of the trust store file. The values currently supported by the default ssl.engine.factory.class are [JKS, PKCS12, PEM].
Type: string
Default: “JKS”
Importance: medium
ssl.truststore.location
The location of the trust store file.
Type: string
Default: “null”
Importance: high
ssl.truststore.password
The password for the trust store file. If a password is not set, trust store file configured will still be used, but integrity checking is disabled. Trust store password is not supported for PEM format.
Type: password
Default: “null”
Importance: high
ssl.keymanager.algorithm
The algorithm used by key manager factory for SSL connections. The default value is the key manager factory algorithm configured for the JVM.
Type: string
Default: The trust manager factory algorithm configured for the Java Virtual Machine.
Importance: low
ssl.trustmanager.algorithm
The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the JVM.
Type: string
Default: The trust manager factory algorithm configured for the Java Virtual Machine.
Importance: low
ssl.endpoint.identification.algorithm
The endpoint identification algorithm to validate server hostname using server certificate.
Type: string
Default: “HTTPS”
Importance: low
ssl.secure.random.implementation
The SecureRandom PRNG implementation to use for SSL cryptography operations.
Type: string
Default: “null”
Importance: low
ssl.engine.factory.class
The class of type org.apache.kafka.common.security.auth.SslEngineFactory to provide SSLEngine objects. The default value is org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.
Type: class
Default: “null”
Importance: low