Kafka Schema Registry Security
Describes security mechanisms for Kafka Schema Registry.
By default, Schema Registry is secure when installed on a secure cluster. A secure cluster is a cluster installed with the default security (data-fabric SASL) enabled. Default security provides authentication, encryption, impersonation, and authorization for Schema Registry. For encryption, SSL/TLS protocols are supported.
If you install Schema Registry in an insecure cluster, you can
enable security through security parameters in the
/opt/mapr/schema-registry/schema-registry-<version>/etc/schema-registry/schema-registry.properties
file, as described in Security Parameters.
Schema Registry Communication Paths
The following image depicts the Schema Registry communication paths:
Security Features | Supported Mechanisms | Communication Paths Secured |
Authentication | Data Fabric SASL (ticket-based security) | D – Schema Registry Server and ZooKeeper |
A - Schema Registry Client and Schema Registry Server | ||
C – Schema Registry Server and Schema Registry Server | ||
Basic (PAM) | A - Schema Registry Client and Schema Registry Server | |
C – Schema Registry Server and Schema Registry Server | ||
Cookie | A - Schema Registry Client and Schema Registry Server | |
C – Schema Registry Server and Schema Registry Server | ||
Encryption | Data Fabric SASL (ticket-based security) | D - Schema Registry Server and ZooKeeper |
A - Schema Registry Client and Schema Registry Server | ||
C -Schema Registry Server and Schema Registry Server | ||
SSL/TLS | A - Schema Registry Client and Schema Registry Server | |
C - Schema Registry Server and Schema Registry Server | ||
Authorization | Based on filesystem permissions. | A - Schema Registry Client and Schema Registry Server |
Impersonation | User impersonation | A - Schema Registry Client and Schema Registry Server |
B – Schema Registry Server to Streams for Apache Kafka | ||
C - Schema Registry Server and Schema Registry Server | ||
Auditing | Not supported | -- |