Configuration Reference for Schema Registry Clients on Confluent Platform¶
This section contains configuration options for clients to Schema Registry. You can add these configurations as properties to producer and consumer client configuration files or on the command line for testing.
For examples of these options in use, see Avro, Protobuf, and JSON Schema in Formats, Serializers, and Deserializers for Schema Registry on Confluent Platform.
schema.registry.url¶
Comma-separated list of URLs for Schema Registry instances.
- Type: list
- Default: null
- Importance: high
basic.auth.credentials.source¶
Specify how to pick the credentials for Basic authentication header. The supported values are URL, USER_INFO, and SASL_INHERIT.
- Type: string
- Default: “STATIC_TOKEN”
- Importance: medium
URL - The user information is configured as part of the schema.registry.url
configuration in the
form of http://<username>:<password>@sr-host:<sr-port>
USER_INFO - The user information is configured using the below configuration.
basic.auth.user.info
Specify the user information for Basic authentication in the form of {username}:{password}
.
- Type: password
- Default: “”
- Importance: medium
SASL_INHERIT - Inherit the settings used by the Kafka client to communicate with the broker using SASL SCRAM or SASL PLAIN.
An example of using a credentials file to authenticate a consumer to Schema Registry is in Print schema IDs with command line consumer utilities.
For more examples and details on credentials files on both Confluent Cloud and Confluent Platform, see the Prerequisites sections in each of the “Test Drives” for the different schema formats:
basic.auth.user.info¶
Specifies the user info for basic authentication in the form of user:password
.
- Type: string
- Default: “”
- Importance: high
http.connect.timeout.ms¶
Specifies the HTTP connection timeout in milliseconds for the Schema Registry client. The default is 60000 milliseconds (60 seconds).
- Type: int
- Default: 60000
- Valid Values: [0,…]
- Importance: low
http.read.timeout.ms¶
Specifies the HTTP read timeout in milliseconds for the Schema Registry client.
- Type: int
- Default: 60000
- Valid Values: [0,…]
- Importance: low
bearer.auth.token¶
Specifies the bearer token to be used for authentication.
- Type: password
- Default: “”
- Importance: medium
proxy.host¶
The hostname or address of the proxy server that will be used to connect to Schema Registry instances.
- Type: string
- Default: “”
- Importance: low
proxy.port¶
The port number of the proxy server that will be used to connect to the Schema Registry instances.
- Type: int
- Default: “-1”
- Importance: low
bearer.auth.credentials.source¶
Specifies how to pick the credentials for bearer authentication.
- Type: string
- Default: “OAUTHBEARER”
- Importance: medium
bearer.auth.issuer.endpoint.url¶
The HTTP(S)-based URL for the OAuth/OIDC identity provider which issues access tokens.
- Type: string
- Default: “null”
- Importance: medium
bearer.auth.client.id¶
Client ID used to obtain client credentials grant from OAuth/OIDC identity provider.
- Type: string
- Default: “null”
- Importance: medium
bearer.auth.client.secret¶
The client secret used to obtain client credentials grant from OAuth/OIDC identity provider.
- Type: password
- Default: “null”
- Importance: medium
bearer.auth.scope¶
The access token scope used to obtain client credentials grant from OAuth/OIDC identity provider.
- Type: string
- Default: “null”
- Importance: medium
bearer.auth.scope.claim.name¶
The OAuth claim for the scope is often named “scope”, but this optional setting can provider a different name for the scope included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.
- Type: string
- Default: “scope”
- Importance: low
bearer.auth.sub.claim.name¶
The OAuth claim for the subject is often named “sub”, but this optional setting can provide a different name to use for the subject included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.
- Type: string
- Default: “sub”
- Importance: low
bearer.auth.logical.cluster¶
An additional property that can be added in the request header to identify the logical cluster.
- Type: string
- Default: “null”
- Importance: low
bearer.auth.identity.pool.id¶
Additional property that can be added in the request header to identify the principal ID for authorization.
- Type: string
- Default: “null”
- Importance: medium
bearer.auth.cache.expiry.buffer.seconds¶
The amount of buffer time between expiration times of the OAuth token and corresponding cache which holds the token. Ideally you would want to get a new token before the current one expires. Legal values are between 0 and 3600 (1 hour); a default value of 300 (5 minutes) is used if no value is specified. This value is ignored if it exceeds the remaining lifetime of a token from the moment it is retrieved into Schema Registry.
- Type: short
- Default: “300”
- Valid Values: [0, 3600]
- Importance: low
bearer.auth.custom.provider.class¶
Custom class that will provide the token credential. Needs to implement the io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
interface.
- Type: string
- Default: “null”
- Importance: medium
ssl.protocol¶
The SSL protocol used to generate the SSLContext. The default is TLSv1.3
when
running with Java 11 or later, or``TLSv1.2`` otherwise. This value should be fine
for most use cases. Allowed values in recent JVMs are TLSv1.2
and TLSv1.3
.
TLS
, TLSv1.1
, SSL
, SSLv2
and SSLv3
may be supported in older JVMs, but
their usage is discouraged due to known security vulnerabilities. With the
default value for this configuration and ssl.enabled.protocols, clients will
downgrade to TLSv1.2
if the server does not support TLSv1.3
. If this configuration
is set to TLSv1.2
, clients will not use TLSv1.3
even if it is one of the
values in ssl.enabled.protocols
and the server only supports TLSv1.3
.
- Type: string
- Default: “TLSv1”
- Importance: medium
ssl.provider¶
The name of the security provider used for SSL connections. Default value is the default security provider of the Java Virtual Machine (JVM).
- Type: string
- Default: “null”
- Importance: medium
ssl.cipher.suites¶
A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default, all the available cipher suites are supported.
- Type: list
- Default: “null”
- Importance: low
ssl.enabled.protocols¶
The comma-separated list of protocols enabled for SSL connections. The default
value is TLSv1.2,TLSv1.3
when running with Java 11 or later, TLSv1.2
otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3
),
clients and servers prefer TLSv1.3 if both support it, and fall back to
TLSv1.2
otherwise (assuming both support at least TLSv1.2
).
To learn more, see ssl.protocol.
- Type: list
- Default: “TLSv1.2, TLSv1.3”
- Importance: medium
ssl.keystore.type¶
The file format of the key store file. This is optional for client. The values currently supported by the default ssl.engine.factory.class
are [JKS, PKCS12, PEM]
.
- Type: string
- Default: “JKS”
- Importance: medium
ssl.keystore.key¶
Private key in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with PKCS#8 keys. If the key is encrypted, the key password must be specified using ssl.key.password
.
ssl.keystore.certificate.chain¶
Certificate chain in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with a list of X.509 certificates
- Type: password
- Default: “null”
- Importance: high
ssl.truststore.certificates¶
Trusted certificates in the format specified by ssl.truststore.type. Default SSL engine factory supports only PEM format with X.509 certificates.
- Type: password
- Default: “null”
- Importance: high
ssl.keystore.location¶
The location of the key store file. This is optional for client and can be used for two-way authentication for client.
- Type: string
- Default: “null”
- Importance: high
ssl.keystore.password¶
The store password for the key store file. This is optional for client and only needed if ssl.keystore.location is configured. Key store password is not supported for PEM format.
- Type: password
- Default: “null”
- Importance: high
ssl.key.password¶
The password of the private key in the key store file or the PEM key specified in ssl.keystore.key.
- Type: password
- Default: “”
- Importance: high
ssl.truststore.type¶
The file format of the trust store file. The values currently supported by the default ssl.engine.factory.class
are [JKS, PKCS12, PEM]
.
- Type: string
- Default: “JKS”
- Importance: medium
ssl.truststore.location¶
The location of the trust store file.
- Type: string
- Default: “null”
- Importance: high
ssl.truststore.password¶
The password for the trust store file. If a password is not set, trust store file configured will still be used, but integrity checking is disabled. Trust store password is not supported for PEM format.
- Type: password
- Default: “null”
- Importance: high
ssl.keymanager.algorithm¶
The algorithm used by key manager factory for SSL connections. The default value is the key manager factory algorithm configured for the JVM.
- Type: string
- Default: The trust manager factory algorithm configured for the Java Virtual Machine.
- Importance: low
ssl.trustmanager.algorithm¶
The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the JVM.
- Type: string
- Default: The trust manager factory algorithm configured for the Java Virtual Machine.
- Importance: low
ssl.endpoint.identification.algorithm¶
The endpoint identification algorithm to validate server hostname using server certificate.
- Type: string
- Default: “HTTPS”
- Importance: low
ssl.secure.random.implementation¶
The SecureRandom
PRNG implementation to use for SSL cryptography operations.
- Type: string
- Default: “null”
- Importance: low
ssl.engine.factory.class¶
The class of type org.apache.kafka.common.security.auth.SslEngineFactory
to provide SSLEngine objects. The default value is org.apache.kafka.common.security.ssl.DefaultSslEngineFactory
.
- Type: class
- Default: “null”
- Importance: low