Security Parameters
Describes Schema Registry security parameters.
Security mechanisms provide an authentication, encryption, and impersonation layer between
the Schema Registry REST API clients and the Schema Registry Server. In secure clusters,
Schema Registry is secured by default. In insecure clusters, you can enable security through
the security parameters in the
/opt/mapr/schema-registry/schema-registry-<version>/etc/schema-registry/schema-registry.properties
file.
Requirement: Before you configure Schema Registry security parameters, verify that an
ssl_keystore and an ssl_truststore file have been
created.
The following table lists the Schema Registry security parameters:
| Parameter | Description | Type | Default |
| authorization.enable | Set 'true' or 'false' to enable or disable authorization for Schema Registry service. See Schema Registry Authorization. | boolean | false |
| authentication.cookie.expiration | Authentication cookie expiration time in seconds. | long | 7200 (2 hours) |
| authentication.enable | Whether or not to enable authentication. | boolean | false |
| impersonation.enable | Whether or not to enable impersonation. If disabled, all manipulation will be performed from the admin of cluster user. See Schema Registry Impersonation. | boolean | false |
| listeners | Comma-separated list of listeners that listen for API requests over either HTTP
or HTTPS. Each listener must include the protocol, hostname, and port. For example:
http://localhost:8087 |
list | none |
| ssl.cipher.suites | A list of SSL cipher suites. This list is a comma-separated list. Leave blank to use Jetty’s default. | list | none |
| ssl.cipher.suites.exclude | A list of disabled SSL cipher suites. This is a comma-separated list. Leave blank to use Jetty’s default. | list |
|
| ssl.client.auth | Specifies whether or not to acquire the HTTPS client to authenticate via the server’s trust store. | boolean | false |
| ssl.disabled.protocols | The list of SSL protocols that will not be accepted by clients. This is a comma-separated list. | list |
|
| ssl.enabled.protocols | The list of SSL protocols that can be accepted from clients. The list is a comma-separated list. Leave blank to use Jetty’s defaults. | list | empty |
| ssl.endpoint.identification.algorithm | The endpoint identification algorithm to validate the server hostname using the server certificate. IMPORTANT: Jetty requires that the key's CN, stored in the keystore, must match the FQDN if ssl_endpoint_identification_algorithm=https. Leave blank to use Jetty’s default. | string | none |
| ssl.key.password | The password of the private key in the keystore file. This parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property value is obtained from the ssl-client.xml file.Note: If the ssl-client.xml file is changed, Schema Registry must be restarted. | string | empty |
| ssl.keymanager.algorithm | The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty’s default. | string | empty |
| ssl.keystore.location | Location of the keystore file. This parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property value is obtained from the ssl-client.xml file. Note: If the ssl-client.xml file is changed, Schema Registry must be restarted. | string | empty |
| ssl.keystore.password | The store password for the keystore file. This parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property value is obtained from the ssl-client.xml file.Note: If the ssl-client.xml file is changed, Schema Registry must be restarted. | string | empty |
| ssl.keystore.type | The type of keystore file. | string | JKS |
| ssl.protocol | The SSL protocol used to generate the SslContextFactory. | string | TLS |
| ssl.provider | The SSL security provider name. Leave blank to use Jetty’s default. | string | none |
| ssl.trustmanager.algorithm | The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty’s default. | string | none |
| ssl.truststore.location | Location of the trust store. Required only to authenticate HTTPS clients. | string | empty |
| ssl.truststore.password | The store password for the trust store file. | string | empty |
| ssl.truststore.type | The type of trust store file. | string | JKS |
| ssl.trustallcerts.enable | Set to true if you want to disable certificates verification. | boolean | false |
| headers.file | The option is used to specify the XML file that contains security and custom headers. The headers will be added to a response by the Jetty server. | string | empty |