Cloudera Docs

Authentication in Schema Registry

Get started with OAuth authentication in Schema Registry. OAuth is the only supported authentication mechanism in Schema Registry.

Schema Registry supports OAuth authentication to integrate with an external identity provider. When OAuth is enabled, clients connecting to Schema Registry must present a valid Bearer JSON Web Token (JWT) for access. Incoming JWTs are verified by Schema Registry using a JSON Web Key Set (JWKS) which provides public keys required to validate signatures.

OAuth is enabled by default and is the only supported authentication mechanism. As a result, you must configure OAuth properties during or after installation unless you choose to explicitly disable OAuth. However, Cloudera does not recommend that you deploy Schema Registry with authentication disabled.

Tokens and authorization

OAuth JWTs presented by clients are also used for authorization. Schema Registry extracts the principal (the username) from a configured JWT claim, validates the token audience, and enforces authorization using a built-in authorizer. Because of this, configuring OAuth authentication is required for authorization. For more information, see Authorization in Schema Registry.

Configuring OAuth authentication

Learn how to configure OAuth authentication in Schema Registry.

  • An OAuth server is available that has TLS enabled.

  • The server is accessible from the Kubernetes cluster where Schema Registry is deployed.

  • At least one client must be configured in your realm that supports Client Credentials flow (sometimes referred to as Machine-to-Machine (M2M), Service Account, or Application Permissions).

  • Identify if your OAuth server issues tokens that contain a value in the aud claim. If a value is present, note it down as you will need to provide it in your configuration. Referred to as [***OAUTH EXPECTED AUDIENCE***] in the following steps.

  • Get the JWKS endpoint URL of your OAuth server. You will need to provide it in your configuration. Schema Registry requires this endpoint to validate the signatures of incoming tokens. Referred to as [***OAUTH JWKS URL***] in the following steps.

  1. Generate a Java truststore (PKCS12) containing the TLS certificate of the root Certificate Authority (CA) of the OAuth certificate chain. 
    keytool -import -trustcacerts -file [***OAUTH ROOT CA***] \
  -keystore [***TRUSTSTORE NAME***] \
  -storepass [***TRUSTSTORE PASSWORD***] \
  -storetype PKCS12
  2. Create a Secret containing the truststore and its password. 
    kubectl create secret generic [***OAUTH TRUSTSTORE SECRET NAME***] \
  --namespace [***NAMESPACE***] \
  --from-file=[***OAUTH TRUSTSTORE SECRET KEY***]=[***TRUSTSTORE NAME***] \
  --from-file=[***OAUTH TRUSTSTORE PASSWORD SECRET KEY***]=[***PATH TO TRUSTSTORE PW FILE***]
    Take note of [***OAUTH TRUSTSTORE SECRET NAME***], [***OAUTH TRUSTSTORE SECRET KEY***], and [***OAUTH TRUSTSTORE PASSWORD SECRET KEY***].
  3. Configure OAuth properties in a custom values file (values.yaml). 
    #...
authentication:
  oauth:
    enabled: true
    jwt:
      expectedAudience: [***OAUTH EXPECTED AUDIENCE***]
    jwks:
      url: [***OAUTH JWKS URL***]
      tls:
        truststore:
          secretKeyRef:
            name: [***OAUTH TRUSTSTORE SECRET NAME***]
            key: [***OAUTH TRUSTSTORE SECRET KEY***]
          password:
            secretKeyRef:
              name: [***OAUTH TRUSTSTORE SECRET NAME***]
              key: [***OAUTH TRUSTSTORE PASSWORD SECRET KEY***]
          type: PKCS12

    • authentication.oauth.enabled – Enables OAuth authentication for the Schema Registry server.

    • authentication.oauth.jwt.expectedAudience – The expected audience value. If the JWT token contains an aud claim, it must match this value, otherwise the token is considered invalid.

    • authentication.oauth.jwks.url – The URL to the JWKS endpoint.

    • authentication.oauth.jwks.tls.truststore.secretKeyRef.name – The name of the Secret that contains the truststore for accessing the JWKS endpoint. Configure this property if the backend of your JWKS has self-signed certificates.

    • authentication.oauth.jwks.tls.truststore.secretKeyRef.key – The key in the Secret specified by authentication.oauth.jwks.tls.truststore.secretKeyRef.name that contains the truststore for accessing the JWKS endpoint.

    • authentication.oauth.jwks.tls.truststore.password.secretKeyRef.name – The name of the Secret that contains the truststore password for accessing the JWKS endpoint.

    • authentication.oauth.jwks.tls.truststore.password.secretKeyRef.key – The key in the Secret specified by authentication.oauth.jwks.tls.truststore.password.secretKeyRef.name that contains the truststore password for accessing the JWKS endpoint.

  4. Apply your configuration. 
    helm upgrade schema-registry [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YML***] \
  --reuse-values
OAuth authentication is enabled. Users are required to present a valid token to Schema Registry for access.