Configuring the Schema Registry server

Learn how to configure general settings for Schema Registry server. Also learn about the extra parameters which you can set when storage type is JWK, keystore, or property.

General settings

Property Data type Description
schema.registry.oauth.enabled Boolean Tick the checkbox to enable OAuth2 authentication.
schema.registry.oauth.key.store.type Enum

Select the type of the key storage, where to read the public key from. Possible values are: property, keystore, jwk.

Depending on the chosen value, additional configuration might be necessary. These will be detailed below in the corresponding sections.

schema.registry.oauth.jwt.principal.claim.name String The JWT token needs to contain the principal which is used during Ranger authorization. By default, it is assumed that the sub claim contains the principal, but this can be modified with this parameter.
schema.registry.oauth.jwt.expected.audience String The JWT token can optionally contain an audience aud claim. When this claim is present then the same audience value needs to be expected on the server side, otherwise the token is considered invalid.
schema.registry.oauth.jwt.expected.issuer String The JWT token can optionally contain an issuer iss claim. You can configure Schema Registry to only accept tokens issued by a specific issuer.
schema.registry.oauth.clock.skew Integer The clock of the server issuing the token might not be in sync with the clock where Schema Registry is running. You can adjust this value to tolerate a certain difference between the two clocks (in seconds).

JWK

When storage type is JSON Web Key (JWK), then you can also apply the following parameters.
Property Data type Description
schema.registry.oauth.jwks.url String URL to the server issuing the JWK keys. Note that this can also be a local file if the URL starts with file://.
schema.registry.oauth.jwks.refresh.ms Long Refresh interval for reading the keys from the JWK server. Default value is 30000 ms (30 seconds).
The following parameters are optional. When the keys are downloaded from a remote server, you might need special configuration for accessing the server.
Property Data type Description
schema.registry.oauth.jwks.httpClient.basic.user String If the JWK server requires basic authentication, then you can provide the username.
schema.registry.oauth.jwks.httpClient.basic.password String If the JWK server requires basic authentication, then you can provide the password.
schema.registry.oauth.jwks.httpClient.keyStorePath String If a key is required for accessing the JWK server, then you can provide the keystore path.
schema.registry.oauth.jwks.httpClient.keyStoreType String Schema Registry keystore type of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyPassword String Schema Registry key password of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyStorePassword String Schema Registry keystore password of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyStoreProvider String Schema Registry keystore provider of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyManagerFactoryAlgorithm String Schema Registry algorithm of KeyManagerFactory for http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyManagerFactoryProvider String Schema Registry KeyManagerFactory provider for http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustStorePath String You can add the certificate of the JWK server to a truststore.
schema.registry.oauth.jwks.httpClient.trustStoreType String Schema Registry truststore type of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustStorePassword String Schema Registry truststore password of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustStoreProvider String Schema Registry truststore provider of http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustManagerFactoryAlgorithm String Schema Registry TrustManagerFactory algorithm for http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustManagerFactoryProvider String Schema Registry TrustManagerFactory provider for http client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.protocol String HTTPS security protocol. By default it is TLS.

Keystore

When storage type is keystore, then you can also apply the following parameters.
Property Data type Description
schema.registry.oauth.keystore.public.key.keystore String Path to the keystore file. Please ensure the file is readable by Schema Registry.
schema.registry.oauth.keystore.public.key.keystore.alias String The alias of the key within the keystore.
schema.registry.oauth.keystore.public.key.keystore.password String Password for reading the keystore.

Property

When storage type is property, then you can also apply the following parameters.
Property Data type Description
schema.registry.oauth.property.public.key.property String The public key or the secret.
schema.registry.oauth.property.key.algorithm Enum You need to provide the algorithm of the key. The values are: RS256, HS256.