Securing Schema RegistryPDF version

Schema Registry server configuration

Learn how to configure general settings for Schema Registry server. Also learn about the extra parameters which you can set when storage type is JWK, keystore, or property.

Property Data type Description
schema.registry.oauth.enabled Boolean Select this option to enable OAuth2 authentication. Enum

Select the type of the key storage where the public key is read from. Possible values are: property, keystore, jwk.

Depending on the chosen value, additional configuration might be necessary. These are detailed in the following sections. String The JWT token needs to contain the principal which is used during Ranger authorization. By default, it is assumed that the sub claim contains the principal, but this can be modified with this parameter.
schema.registry.oauth.jwt.expected.audience String The JWT token can optionally contain an audience aud claim. When this claim is present, the same audience value needs to be expected on the server side, otherwise the token is considered invalid.
schema.registry.oauth.jwt.expected.issuer String The JWT token can optionally contain an issuer iss claim. You can configure Schema Registry to only accept tokens issued by a specific issuer.
schema.registry.oauth.clock.skew Integer The clock of the server issuing the token might not be in sync with the clock where Schema Registry is running. You can adjust this value to tolerate a certain difference between the two clocks (in seconds).
When storage type is JSON Web Key (JWK), you can also apply the following parameters.
Property Data type Description
schema.registry.oauth.jwks.url String URL to the server issuing the JWK keys. This can also be a local file if the URL starts with file://. Long Refresh interval for reading the keys from the JWK server. Default value is 30000 ms (30 seconds).
The following parameters are optional. When the keys are downloaded from a remote server, you might need special configuration for accessing the server.
Property Data type Description
schema.registry.oauth.jwks.httpClient.basic.user String If the JWK server requires basic authentication, then you can provide the username.
schema.registry.oauth.jwks.httpClient.basic.password String If the JWK server requires basic authentication, then you can provide the password.
schema.registry.oauth.jwks.httpClient.keyStorePath String If a key is required for accessing the JWK server, then you can provide the keystore path.
schema.registry.oauth.jwks.httpClient.keyStoreType String Schema Registry keystore type of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyPassword String Schema Registry key password of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyStorePassword String Schema Registry keystore password of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyStoreProvider String Schema Registry keystore provider of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyManagerFactoryAlgorithm String Schema Registry algorithm of KeyManagerFactory for HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.keyManagerFactoryProvider String Schema Registry KeyManagerFactory provider for HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustStorePath String You can add the certificate of the JWK server to a truststore.
schema.registry.oauth.jwks.httpClient.trustStoreType String Schema Registry truststore type of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustStorePassword String Schema Registry truststore password of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustStoreProvider String Schema Registry truststore provider of HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustManagerFactoryAlgorithm String Schema Registry TrustManagerFactory algorithm for HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.trustManagerFactoryProvider String Schema Registry TrustManagerFactory provider for HTTP client used for JWK OAuth2. This can be required when keystore type is jwk.
schema.registry.oauth.jwks.httpClient.protocol String HTTPS security protocol. By default, it is TLS.
When storage type is keystore, you can also apply the following parameters.
Property Data type Description
schema.registry.oauth.keystore.public.key.keystore String Path to the keystore file. Ensure the file is readable by Schema Registry.
schema.registry.oauth.keystore.public.key.keystore.alias String The alias of the key within the keystore.
schema.registry.oauth.keystore.public.key.keystore.password String Password for reading the keystore.
When storage type is property, you can also apply the following parameters.
Property Data type Description String The public key or the secret. Enum The algorithm of the key. The values are: RS256, HS256.