Schema Registry server configuration
Learn how to configure general settings for Schema Registry server. Also learn about the extra parameters which you can set when storage type is JWK, keystore, or property.
General settings
| Property | Data type | Description |
|---|---|---|
| schema.registry.oauth.enabled | Boolean | Select this option to enable OAuth2 authentication. |
| schema.registry.oauth.key.store.type | Enum |
Select the type of the key storage where the public key is read from. Possible
values are: Depending on the chosen value, additional configuration might be necessary. These are detailed in the following sections. |
| schema.registry.oauth.jwt.principal.claim.name | String | The JWT token needs to contain the principal which is used during Ranger
authorization. By default, it is assumed that the sub claim contains the
principal, but this can be modified with this parameter. |
| schema.registry.oauth.jwt.expected.audience | String | The JWT token can optionally contain an audience aud claim. When
this claim is present, the same audience value needs to be expected on the server side,
otherwise the token is considered invalid. |
| schema.registry.oauth.jwt.expected.issuer | String | The JWT token can optionally contain an issuer iss claim. You can
configure Schema Registry to only accept tokens issued by a specific issuer. |
| schema.registry.oauth.clock.skew | Integer | The clock of the server issuing the token might not be in sync with the clock where Schema Registry is running. You can adjust this value to tolerate a certain difference between the two clocks (in seconds). |
JWK configuration settings
When storage type is JSON Web Key (JWK), you can also apply the following parameters.
| Property | Data type | Description |
|---|---|---|
| schema.registry.oauth.jwks.url | String | URL to the server issuing the JWK keys. This can also be a local file if the URL
starts with file://. |
| schema.registry.oauth.jwks.refresh.ms | Long | Refresh interval for reading the keys from the JWK server. Default value is 30000 ms (30 seconds). |
The following parameters are optional. When the keys are downloaded from a remote server, you
might need special configuration for accessing the server.
| Property | Data type | Description |
|---|---|---|
| schema.registry.oauth.jwks.httpClient.basic.user | String | If the JWK server requires basic authentication, then you can provide the username. |
| schema.registry.oauth.jwks.httpClient.basic.password | String | If the JWK server requires basic authentication, then you can provide the password. |
| schema.registry.oauth.jwks.httpClient.keyStorePath | String | If a key is required for accessing the JWK server, then you can provide the keystore path. |
| schema.registry.oauth.jwks.httpClient.keyStoreType | String | Schema Registry keystore type of HTTP client used for JWK OAuth2. This can be
required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.keyPassword | String | Schema Registry key password of HTTP client used for JWK OAuth2. This can be required
when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.keyStorePassword | String | Schema Registry keystore password of HTTP client used for JWK OAuth2. This can be
required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.keyStoreProvider | String | Schema Registry keystore provider of HTTP client used for JWK OAuth2. This can be
required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.keyManagerFactoryAlgorithm | String | Schema Registry algorithm of KeyManagerFactory for HTTP client used for JWK OAuth2.
This can be required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.keyManagerFactoryProvider | String | Schema Registry KeyManagerFactory provider for HTTP client used for JWK OAuth2. This
can be required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.trustStorePath | String | You can add the certificate of the JWK server to a truststore. |
| schema.registry.oauth.jwks.httpClient.trustStoreType | String | Schema Registry truststore type of HTTP client used for JWK OAuth2. This can be
required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.trustStorePassword | String | Schema Registry truststore password of HTTP client used for JWK OAuth2. This can be
required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.trustStoreProvider | String | Schema Registry truststore provider of HTTP client used for JWK OAuth2. This can be
required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.trustManagerFactoryAlgorithm | String | Schema Registry TrustManagerFactory algorithm for HTTP client used for JWK OAuth2.
This can be required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.trustManagerFactoryProvider | String | Schema Registry TrustManagerFactory provider for HTTP client used for JWK OAuth2.
This can be required when keystore type is jwk. |
| schema.registry.oauth.jwks.httpClient.protocol | String | HTTPS security protocol. By default, it is TLS. |
Keystore configuration settings
When storage type is keystore, you can also apply the following parameters.
| Property | Data type | Description |
|---|---|---|
| schema.registry.oauth.keystore.public.key.keystore | String | Path to the keystore file. Ensure the file is readable by Schema Registry. |
| schema.registry.oauth.keystore.public.key.keystore.alias | String | The alias of the key within the keystore. |
| schema.registry.oauth.keystore.public.key.keystore.password | String | Password for reading the keystore. |
Property configuration settings
When storage type is property, you can also apply the following parameters.
| Property | Data type | Description |
|---|---|---|
| schema.registry.oauth.property.public.key.property | String | The public key or the secret. |
| schema.registry.oauth.property.key.algorithm | Enum | The algorithm of the key. The values are: RS256,
HS256. |
