New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication of Schema Registry on K8s #2379
Comments
Kubernetes doesn't limit the features that are available. What have you tried thus far? |
Here added my deployment and service YAML files. I have created an Ingress and service is working as expected. But what I wanted is, It should work with basic authentication. I can set the basic authentication at Ingress. But even If I do a port-forward to the schema-registry pod, It should ask first ask me to get authenticated. Ingress authentication is getting bypassed here. If there is a facility to achieve this either from Kubernetes or from Schema-Registry side, do let me know. Thanks for help! |
Auth can be a added without any external web service. But, given that Ingress or Kubernetes issues are not specific to this repo, you may get better support at the Confluent Developer Forum. You'll need to mention what Ingress you're actually using, e.g. Nginx or something else? |
I'm using nginx ingress. How auth can be added without any external web services? |
Again, what have you tried? There's a whole documentation section dedicated to this topic. |
From this link, I have tried giving jaas file. I was asked for authentication but when I given the username and password its not validating. And I want this to implement on kubernetes. Can you provide a link to try the deployment on kubernetes. Are there any env variables for the same scenario? |
I understood that from your original post. As mentioned, there's nothing unique about Kubernetes that needs configured for authentication of the service itself. If you want to use an Ingress to manage authentication, then refer documentation for the Ingress instead...
Everything that can be configured in the Registry server config maps to an environment variable of the registry container, yes. https://docs.confluent.io/platform/current/installation/docker/config-reference.html#sr-long-configuration The JAAS file/config needs provided in Perhaps you'll find what you're looking for at https://github.com/confluentinc/confluent-kubernetes-examples |
Hi, Thanks for the reply. From the link, https://docs.confluent.io/platform/current/installation/docker/config-reference.html#sr-long-configuration you provided in the above comments, I don't find variables related to the Basic authentication. But from the examples, I have tried installing through the helm repo and applied all configuration from this file https://github.com/confluentinc/confluent-kubernetes-examples/blob/4ceeb1a339c2a690aa121395520e650ae06d8fec/security/plaintext-basic-auth-ConnectAndSchemaRegistry/confluent-platform.yaml. Since the cluster is completely deployed by itself, SchemaRegistry is asking me username:password So my ask is, Can I only deploy this SchemaRegistry and connect with my existing Kafka cluster? If yes, can you please provide me that link/doc/script? And another approach is through normal deployment I added above..
Like this do we have any variables to provide basic authentication? It should ask me for username and password similar to the image. Thanks for your response! |
Exactly. So, it's working as expected. The readme shows what files are used and where you find the credentials. Or, the direct file...
Yup. Change
I don't know what you're referring to. The env? That's already been shared
|
When i tried the first case, using SchemaRegistry kind of K8s yaml like this
And regarding the Envs, Can you provide me how to pass envs for JAAS config file to a pod? Thanks |
Sorry, I wasn't clear - The environment variables are only meant to be used with the Docker image, standalone, as was your original question. Such as if you used the (now, deprecated) Helm Charts, or created your own deployment definition using the Docker image, not the operator. This section
Can only be used with the Operator, and doesn't require a (user supplied) JAAS file, from what I can see in the examples. By the way, the Operator will require an enterprise license to use beyond the trial period. I don't know the spec of the SchemaRegistry resource to define custom properties, you'll need to
You should be able to use a ConfigMap with a volumeMount to mount any files, such as JAAS conf with password file. But I don't think you can template a JAAS config without external tooling like Again, Kubernetes related questions aren't "issues" with this repo, in particular. You may find better support on the respective Operator repo or the general Confluent Forum where other support team and community members exist. |
Okay, From this link, Tell me how to pass |
Is that a property of |
Yes, It's the property of basic authentication.
these are the values for basic authentication. When configured with the How to specify Jaas config file? What is the content of it. From the link I posted above, found an example Jaas file.
In the file path, I have given the absolute path of my password file. And in When tried logging in with the credentials given in the password file, I'm not getting authenticated. One more case is, from this link, Can you tell me how to specify my existing kafka Endpoint to schema registry(By change if you have Kubernetes schema registry persons)? |
|
You shouldn't need to. This section along with the configmap automatically handle setting up the necessary files
|
I already mentioned it required a license after 30 days |
Is there a way to achieve it with open source? Though I am using only Schema registry, using this approach, rest all I have already configured. Please suggest a free way to do. |
There is no open source operator for Confluent. The properties of the Schema Registry should all be the same. As answered before, you do that by mounting a JAAS file in the container (i.e. Using a configmap or persistent volume) and you add the necessary environment variables to modify the server properties file. https://stackoverflow.com/questions/58391462/implement-schema-registry-with-a-basic-auth Or you could run the registry outside of kubernetes first to figure out how you'd configure the same (as above link shows), then you can work on making it work as a container later |
Thanks for the suggestion/help. Now I am trying this with the server set up. From the doc, I am little bit unclear about Rest I am giving as:
As in official document JAAS file will be like:
I have given the same, and password-file, I have given the absolute path of the file.
when should I run this command? |
Documentation already says. The realm is the part outside of the brackets -
If you want Alternatively, implement your own replacement class for
You don't. You add |
since I am using a server, the last one: |
I'm not sure what you mean. Kubernetes is a server. It does not inherit host OS environment variables. Schema Registry is also server. The documentation is for running Schema Registry directly as a Linux process, not as a container, or within Kubernetes. Those steps need to be translated appropriately, which is to add variables to the container/pod. |
Forget about kubernetes or docker. As you said in previous thread to try the set-up on a server, I'm trying this on a Ubuntu server. Once I get clarity on server, then I can do the same configuration on Kubernetes. So on a server, when I run the export command, I'm getting as variables unidentified. |
I see. In that case, a simple test would be export SCHEMA_REGISTRY_OPTS='-Djava.security.auth.login.config=/path/to/the/jaas_config.conf'
echo $SCHEMA_REGISTRY_OPTS Should print back that exported value. Then you may run |
Steps that I tried from the screenshot:
Hope you are clear with the approach. If I had missed anything, let me know. Why I still have the problem with login? Thanks! |
In your OPTS variable, I see you have |
I do not believe |
Local files $ cat registry-*
SchemaRegistry-Props {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
file="/tmp/passwords"
debug="true";
};
Docker Compose schema-registry:
image: confluentinc/cp-schema-registry:7.2.2
hostname: schema-registry
container_name: schema-registry
depends_on:
- kafka
ports:
- "8081:8081"
environment:
SCHEMA_REGISTRY_HOST_NAME: schema-registry
SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: 'kafka:29092'
SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8081
SCHEMA_REGISTRY_OPTS: '-Djava.security.auth.login.config=/tmp/registry-jaas.conf'
SCHEMA_REGISTRY_AUTHENTICATION_REALM: 'SchemaRegistry-Props'
SCHEMA_REGISTRY_AUTHENTICATION_METHOD: 'BASIC'
SCHEMA_REGISTRY_AUTHENTICATION_ROLES: 'admin,user,developer'
volumes: # refer above
- $PWD/registry-jaas.conf:/tmp/registry-jaas.conf:ro
- $PWD/registry-passwords.txt:/tmp/passwords:ro Start up logs schema-registry | ===> Launching ...
schema-registry | ===> Launching schema-registry ...
schema-registry | [2022-11-15 01:36:16,022] INFO SchemaRegistryConfig values:
schema-registry | access.control.allow.headers =
schema-registry | access.control.allow.methods =
schema-registry | access.control.allow.origin =
schema-registry | access.control.skip.options = true
schema-registry | authentication.method = BASIC
schema-registry | authentication.realm = SchemaRegistry-Props
schema-registry | authentication.roles = [admin, user, developer]
schema-registry | authentication.skip.paths = [] Inspecting running process (see
Testing $ curl localhost:8081/subjects
{"error_code":401,"message":"Unauthorized"}
$ curl -u barney:changeme localhost:8081/subjects
[] |
@OneCricketeer!
Do you have any pointer what can be wrong? I set the password plain in password.txt and also md5, nothing worked. |
I suggest trying to reproduce in the Docker container directly, as I showed. I don't run the Registry in Kubernetes to be able to help with that. |
Hi,
I am using schema registry image "confluentinc/cp-schema-registry:7.0.1" on Kubernetes 1.23. Can you help me to set basic authentication to schema registry. So that when I want to view schema's, First I should provide my credentials to my pod and then I should be able to access.
Does schema registry supports basic auth in kubernetes?
Thanks!
The text was updated successfully, but these errors were encountered: