fxn
commented
4 years ago Seconded.
Open strowk opened 4 years ago
fxn
commented
4 years ago Seconded.
imran-els
commented
4 years ago I've had the need for this (for our tests) as well, and got it running as a docker composition where I had to include jaas_config file along with a file that had users (I used PropertyFileLoginModule) into a volume which got attached to the container. With that and using a few environment variables I got basic auth configured for the container. This is far from ideal as I've had to create the files and do the volume mounting for it to work. I couldn't find a different way to get it working based on what is available now by this image.
Given that schema registry uses jaas perhaps it would be useful if at lease a built in PropertyFileLoginModule can be configured when using this image with the provision to include other types as well (i.e. ladap, jdbc)
gmanolache
commented
3 years ago @imran-els Hello, I'm struggling with the same issue, do you have an example on how you set up the jaas_config file ?
NickLavrov
commented
3 years ago See https://stackoverflow.com/questions/65931319/how-to-run-schema-registry-container-for-sasl-plain-kafka-cluster/65943146#65943146 I set SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG directly.
mikebywaters
commented
3 months ago Adding this here for anyone else who wants to add basic auth to their confluent schema registry Docker container.
The documentation suggests that it is as simple as configuring your container with these environment variables:
SCHEMA_REGISTRY_URL: http://0.0.0.0:8081
SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: user:passwordBut the documentation is wrong. In this image, any environment variables prefixed with SCHEMA_REGISTRY_ are automatically converted with a template into the configuration file located at /etc/schema-registry/schema-registry.properties. The part of the environment variable name after the SCHEMA_REGISTRY_ prefix is converted to lowercase and the underscores replaced with periods. The variables from the documentation result in the the following config, which is incorrect:
url=http://0.0.0.0:8081
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=user:passwordThe actual desired config is:
schema.registry.basic.auth.user.info=user:password
schema.registry.basic.auth.credentials.source=USER_INFO
schema.registry.url=http://0.0.0.0:8081Which can be achieved by adding another SCHEMA_REGISTRY_ prefix to each of your environment variables, like so:
SCHEMA_REGISTRY_SCHEMA_REGISTRY_URL: http://0.0.0.0:8081
SCHEMA_REGISTRY_SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
SCHEMA_REGISTRY_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: user:password
I started reading this https://docs.confluent.io/current/security/basic-auth.html and this https://hub.docker.com/r/confluentinc/cp-schema-registry
I could not find there information how to configure basic auth for schema registry. Then I looked at https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/Dockerfile https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/run https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/launch https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/configure
So far I understood that schema-registry.properties mentioned in https://docs.confluent.io/current/security/basic-auth.html comes from line https://github.com/confluentinc/cp-docker-images/blob/v5.2.1/debian/schema-registry/include/etc/confluent/docker/configure#L37 But I don't understand where does template
comes from and what does it have in place of
authentication.roles,authentication.methodandauthentication.realm. Could you please help me with it?Ideally documentation of this docker image should have a section with that information. I think configuring basic authentication is a very important task and this image could not be used in production if that procedure is not explained in its documentation.