Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

How to secure Apache Kafka schemas with Red Hat Integration Service Registry 2.0

July 16, 2021
Hugo Guerrero
Related topics:
APIsEvent-DrivenKafkaSecurity
Related products:
Red Hat OpenShift

Share:

    This article covers the new features available in the Red Hat Integration Service Registry 2.0, which became generally available in June 2020. To illustrate one of the most valuable new features, I'll show you how to secure your service registry using Red Hat's single sign-on (SSO) technology. The security feature uses a newly available integration powered by the Quarkus OpenID Connect security extension.

    About Red Hat Integration Service Registry

    Red Hat Integration Service Registry is a datastore for standard event schemas and API designs. Developers can use it to decouple the data structure from their applications and share and manage the data structure using a REST interface. The Red Hat Service Registry builds on the Apicurio Registry open source community project.

    In the past, I've written about new features and storage options in the Service Registry, and offered a first look at its new UI and operator. One of the most requested features from customers was controlling access to the web console using users and role-based access control (RBAC). The new Service Registry release addresses this request and other improvements, resulting in an improved registry for your Apache Kafka schemas and API designs.

    What’s new in Service Registry 2.0

    As developers have increased their use of the Service Registry and expanded it into larger projects, they've discovered the need to manage stored artifacts in a more structured and organized way. One of the most requested features was the ability to group and categorize schemas, specifications, and other documents. In response, the new release includes an improved REST API that lets you group your artifacts by teams or projects.

    Next, the serialization and deserialization libraries were improved significantly. The service registry offers Java libraries as Maven artifacts to simplify their use within your applications. These libraries are now independent for each data format: Apache Avro, JSON Schema, and Google Protocol Buffers. The SerDes Java JARs offer a new, simplified configuration that improves the developer experience while providing powerful and flexible options.

    Additionally, the Service Registry 2.0 release supports integrations through webhooks and Apache Kafka to allow custom or third-party connections. Every time you create a new artifact or change an existing one in the registry, the connected integrations receive a notification event. In this way, you can automatically notify other developers through an organizational channel such as Slack or Telegram, and announce that a new version of the artifact is available.

    The new version also implements a preview of the Schema Registry API released by the Cloud Native Computing Foundation (CNCF) as part of the efforts of the CloudEvents Working Group for standardization and interoperability. The Red Hat Service Registry is the first registry to support this specification and will certainly help to encourage its adoption.

    Last but not least, the new release supports authentication to secure the registry's REST API and web console. The Service Registry uses the OpenID Connect (OIDC) protocol, a simple identity layer on top of OAuth 2.0. The Service Registry uses the Quarkus extensions for OpenID Connect to connect conveniently to an identity provider such as Red Hat's single sign-on (SSO) technology.

    You can use Red Hat's single sign-on technology to create users that map to the teams accessing the registry. Then, you can add specific roles to those users to control their access to artifacts. If required, you can enable owner-only access control, which limits the management access to the user that created the resource. Let's take a closer look at this security feature.

    Secure your registry with SSO

    The Red Hat Service Registry uses Quarkus extensions for user authentication and authorization. These extensions require an identity provider that implements the OpenID Connect protocol to verify the identity of the user and the roles assigned to the user. Red Hat's single sign-on technology is based on the Keycloak project and lets you secure web applications with single sign-on capabilities. It's part of the Red Hat Integration subscription, so we will use it to secure the registry.

    Note: Follow the documentation to install and start a single sign-on server using the Red Hat OpenShift templates.

    Step 1: Create a registry realm

    You need to create a realm in the SSO admin console (shown in Figure 1) in order to use a configuration independent from other applications that use the same single sign-on instance. By default, the Service Registry expects a realm name of registry. For more details about creating single sign-on realms, see Getting Started with Red Hat Single Sign-On.

    In the admin console, add a realm with "registry" as the name.
    Figure 1: Using the admin console to add a realm.

    Step 2: Create an SSO client for the Service Registry API

    Now, create a single sign-on client for the Service Registry API, as shown in Figure 2.

    Create a client with an ID of "registry-api" and other parameters specified in the preceding sample YAML code.
    Figure 2: Creating a client for the Service Registry API.

    By default, Service Registry expects the following settings:

    Client ID: registry-api
    Client Protocol: openid-connect
    Access Type: bearer-only
    

    Step 3: Create an SSO client for the Service Registry console

    Next, create a single sign-on client for the Service Registry web console, shown in Figure 3.

    Create a client with an ID of "apicurio-registry" and other parameters specified in the preceding sample YAML code.
    Figure 3: Creating a client for the Service Registry.

    By default, Service Registry expects the following settings:

    Client ID: apicurio-registry
    Client Protocol: openid-connect
    Access Type: public
    Valid Redirect URLs: http://<YOUR_REGISTRY_URL>/*
    Web Origins: +
    

    You can use the defaults for the other client settings.

    Step 4: Configure the authentication using SSO

    In your Service Registry deployment on OpenShift, set the following Service Registry environment variables to configure authentication using SSO:

    AUTH_ENABLED=true
    KEYCLOAK_REALM=registry
    KEYCLOAK_URL=https://<YOUR_SSO_URL>/auth
    

    You will need to assign one of the following roles to each user:

    • sr-admin: Full access to all create, read, update, and delete operations.
    • sr-developer: Access to create, read, edit, and delete operations, except for configuring global rules. This role can configure artifact rules.
    • sr-readonly: Access to read and search operations only. This role cannot configure any rules.

    If you want to enable owner-only authorization for updates to schemas and API artifacts, set the following environment variable:

    REGISTRY_AUTH_OWNER_ONLY_AUTHORIZATION=true
    

    Step 5: Restart your pod

    Restart your pod with the new variables. When you visit the main registry URL, you should see the single sign-on login page shown in Figure 4.

    The main registry URL brings up the single sign-on login page.
    Figure 4: The single sign-on login page.

    Congratulations! You have successfully secured your service registry.

    Summary

    In this article, we quickly reviewed the new features of Red Hat Integration Service Registry 2.0, including new SerDes libraries, an improved REST API implementation of the CNCF schema registry API, and an essential element: Authentication with OpenID Connect. The authentication allows secure access to the registry using Red Hat's single sign-on technology to manage users and assign them roles.

    I then showed you how to configure SSO to create a realm, the required clients with their configuration, and the setup for the registry to enable role-based access control. By following the instructions in this article, you can quickly get started with a secure registry on top of OpenShift for APIs and Apache Kafka schemas.

    Up next: Learn more about getting started with the service registry and how to replace the Confluent schema registry with the Red Hat Service Registry.

    Last updated: September 19, 2023

    Related Posts

    • Getting started with Red Hat Integration service registry

    • Replacing Confluent Schema Registry with Red Hat integration service registry

    • First look at the new Apicurio Registry UI and Operator

    • Securely connect Red Hat Integration Service Registry with Red Hat AMQ Streams

    • Red Hat simplifies transition to open source Kafka with new service registry and HTTP bridge

    Recent Posts

    • Why Models-as-a-Service architecture is ideal for AI models

    • How to run MicroShift as a container using MINC

    • OpenShift 4.19 brings a unified console for developers and admins

    • 3 steps to secure network segmentation with Ansible and AWS

    • Integrate vLLM inference on macOS/iOS using OpenAI APIs

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue