Document how to set basic authentication

[strowk]

I started reading this
https://docs.confluent.io/current/security/basic-auth.html
and this
https://hub.docker.com/r/confluentinc/cp-schema-registry

I could not find there information how to configure basic auth for schema registry.
Then I looked at
https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/Dockerfile
https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/run
https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/launch
https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/configure

So far I understood that schema-registry.properties mentioned in https://docs.confluent.io/current/security/basic-auth.html comes from line
https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/configure#L37
But I don't understand where does template

/etc/confluent/docker/${COMPONENT}.properties.template"

comes from and what does it have in place of authentication.roles, authentication.method and authentication.realm. Could you please help me with it?

Ideally documentation of this docker image should have a section with that information. I think configuring basic authentication is a very important task and this image could not be used in production if that procedure is not explained in its documentation.

[fxn]

Seconded.

[imran-els]

I've had the need for this (for our tests) as well, and got it running as a docker composition where I had to include jaas_config file along with a file that had users (I used PropertyFileLoginModule) into a volume which got attached to the container. With that and using a few environment variables I got basic auth configured for the container. This is far from ideal as I've had to create the files and do the volume mounting for it to work. I couldn't find a different way to get it working based on what is available now by this image.

Given that schema registry uses jaas perhaps it would be useful if at lease a built in PropertyFileLoginModule can be configured when using this image with the provision to include other types as well (i.e. ladap, jdbc)

[gmanolache]

@imran-els Hello, I'm struggling with the same issue, do you have an example on how you set up the jaas_config file ?

[NickLavrov]

See https://stackoverflow.com/questions/65931319/how-to-run-schema-registry-container-for-sasl-plain-kafka-cluster/65943146#65943146 I set SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG directly.

[mikebywaters]

Adding this here for anyone else who wants to add basic auth to their confluent schema registry Docker container.

The documentation suggests that it is as simple as configuring your container with these environment variables:

SCHEMA_REGISTRY_URL: http://0.0.0.0:8081
SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: user:password

But the documentation is wrong. In this image, any environment variables prefixed with SCHEMA_REGISTRY_ are automatically converted with a template into the configuration file located at /etc/schema-registry/schema-registry.properties. The part of the environment variable name after the SCHEMA_REGISTRY_ prefix is converted to lowercase and the underscores replaced with periods. The variables from the documentation result in the the following config, which is incorrect:

url=http://0.0.0.0:8081
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=user:password

The actual desired config is:

schema.registry.basic.auth.user.info=user:password
schema.registry.basic.auth.credentials.source=USER_INFO
schema.registry.url=http://0.0.0.0:8081

Which can be achieved by adding another SCHEMA_REGISTRY_ prefix to each of your environment variables, like so:

SCHEMA_REGISTRY_SCHEMA_REGISTRY_URL: http://0.0.0.0:8081
SCHEMA_REGISTRY_SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
SCHEMA_REGISTRY_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: user:password

[pilif42]

Got it working with the below:

  schema-registry:
    image: confluentinc/cp-schema-registry:7.7.1
    hostname: schema-registry
    container_name: schema-registry
    depends_on:
      - kafka
    ports:
      - "8081:8081"
    environment:
      SCHEMA_REGISTRY_HOST_NAME: schema-registry
      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: "kafka:9092"
      SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8081
      SCHEMA_REGISTRY_AVRO_COMPATIBILITY_LEVEL: 'backward'
      SCHEMA_REGISTRY_OPTS: '-Djava.security.auth.login.config=/opt/schema_reg_jaas_config.conf'
      SCHEMA_REGISTRY_AUTHENTICATION_METHOD: 'BASIC'
      SCHEMA_REGISTRY_AUTHENTICATION_ROLES: 'admin'
      SCHEMA_REGISTRY_AUTHENTICATION_REALM: 'SchemaRegistry-LoginProps'
    volumes:
      - ./realm.properties:/opt/realm.properties
      - ./schema_reg_jaas_config.conf:/opt/schema_reg_jaas_config.conf
    networks:
      - custom

Following https://docs.confluent.io/platform/current/schema-registry/security/index.html#configuring-the-rest-api-for-basic-http-authentication for the content of schema_reg_jaas_config.conf and realm.properties.