Configuring mutual TLS for Schema Registry
Schema Registry supports two-way TLS authentication, also known as mutual TLS or mTLS. Learn how to configure mutual TLS for Schema Registry.
In one-way (or regular) TLS, the server certificate is validated by the client to check if the server can be trusted. Two-way TLS authentication allows both the client and the server to validate each other by both parties sending their respective certificates to the other side.
mTLS integrates with Ranger authorization as well. The TLS certificate sent
by the client contains a subject
field which has a string value. By
default, the contents of this value is passed to Ranger which performs authorization
against it.
The value of the subject
field may have a complex value
and you might want to use a regular expression to extract the value of the
principal. In this case you can set the rules in Cloudera Manager.
- Go to your cluster in Cloudera Manager.
- Select Schema Registry from the list of services.
- Go to the Configuration tab.
- Search for the SSL Client Authentication Mapping
Rules property, and set it.The mapping rules are in the same format as used for Kerberos principals. For more information, see:https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=89071740.
- Search for the Schema Registry Kerberos Name Rules
property, and set it.For example, the Schema Registry Kerberos Name Rules property is set to
RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/L
in the following image: - Click Save Changes.