Configuring your Apicurio Registry deployment

Configuring Apicurio Registry authentication and authorization with Keycloak

This section explains how to manually configure authentication and authorization options for Apicurio Registry using Keycloak.

Alternatively, for details on how to configure these settings automatically, see the Apicurio Registry Operator documentation.

You can enable authentication for the Apicurio Registry web console and core REST API using Keycloak based on OAuth using OpenID Connect (OIDC). The same Keycloak realm and users are federated across the Apicurio Registry web console and core REST API using OpenID Connect so that you only require one set of credentials.

Apicurio Registry provides role-based authorization for default admin, write, and read-only user roles. Apicurio Registry also provides content-based authorization at the schema or API level, where only the creator of the registry artifact can update or delete it. Apicurio Registry authentication and authorization settings are disabled by default.

Prerequisites
Procedure
  1. In the Keycloak Admin Console, create a Keycloak realm for Apicurio Registry. By default, Apicurio Registry expects a realm name of registry. For more details on creating realms, see Getting Started with Keycloak.

  2. Create a Keycloak client for the Apicurio Registry API. By default, Apicurio Registry expects the following settings:

    • Client ID: registry-api

    • Client Protocol: openid-connect

    • Access Type: bearer-only

      You can use the defaults for the other client settings.

      If you are using Keycloak service accounts, the client Access Type must be confidential instead of bearer-only.
  3. Create a Keycloak client for the Apicurio Registry web console. By default, Apicurio Registry expects the following settings:

    • Client ID: apicurio-registry

    • Client Protocol: openid-connect

    • Access Type: public

    • Valid Redirect URLs: http://my-registry-url:8080/*

    • Web Origins: +

      You can use the defaults for the other client settings.

  4. In your Apicurio Registry deployment on OpenShift, set the following Apicurio Registry environment variables to configure authentication using Keycloak:

    Table 1. Configuration for Apicurio Registry authentication
    Environment variable Description Type Default

    AUTH_ENABLED

    If set to true, the environment variables that follow are required.

    String

    false

    KEYCLOAK_URL

    The URL of the Keycloak authentication server to use. Must end with /auth.

    String

    None

    KEYCLOAK_REALM

    The Keycloak realm used for authentication.

    String

    registry

    KEYCLOAK_API_CLIENT_ID

    The client ID for the Apicurio Registry REST API.

    String

    registry-api

    KEYCLOAK_UI_CLIENT_ID

    The client ID for the Apicurio Registry web console.

    String

    apicurio-registry

    For an example of setting environment variables on OpenShift, see Configuring Apicurio Registry health checks on OpenShift.
  5. Set the following option to true to enable Apicurio Registry user roles in Keycloak:

    Table 2. Configuration for Apicurio Registry role-based authorization
    Environment variable Java system property Type Default value

    ROLE_BASED_AUTHZ_ENABLED

    registry.auth.role-based-authorization

    Boolean

    false

  6. When Apicurio Registry user roles are enabled, you must assign Apicurio Registry users to at least one of the following default user roles in your Keycloak realm:

    Table 3. Default user roles for registry authentication and authorization
    Role Read artifacts Write artifacts Global rules Summary

    sr-admin

    Yes

    Yes

    Yes

    Full access to all create, read, update, and delete operations.

    sr-developer

    Yes

    Yes

    No

    Access to create, read, update, and delete operations, except configuring global rules. This role can configure artifact rules.

    sr-readonly

    Yes

    No

    No

    Access to read and search operations only. This role cannot configure any rules.

  7. Set the following to true to enable owner-only authorization for updates to schema and API artifacts in Apicurio Registry:

    Table 4. Configuration for owner-only authorization
    Environment variable Java system property Type Default value

    REGISTRY_AUTH_OBAC_ENABLED

    registry.auth.owner-only-authorization

    Boolean

    false

Additional resources

Apicurio Registry authentication and authorization configuration options

Apicurio Registry provides authentication options for OpenID Connect with Keycloak or HTTP basic authentication.

Apicurio Registry provides authorization options for role-based and content-based approaches:

  • Role-based authorization for default admin, write, and read-only user roles.

  • Content-based authorization for schema or API artifacts, where only the owner of the artifacts or artifact group can update or delete artifacts.

Apicurio Registry authentication and authorization options are disabled by default.

This chapter provides details on the following configuration options:

Apicurio Registry authentication using OpenID Connect with Keycloak

You can set the following environment variables to configure authentication for the Apicurio Registry web console and API using Keycloak:

Table 5. Configuration for Apicurio Registry authentication options
Environment variable Description Type Default

AUTH_ENABLED

Enables or disables authentication in Apicurio Registry. When set to true, the environment variables that follow are required.

String

false

KEYCLOAK_URL

The URL of the Keycloak authentication server to use. Must end with /auth.

String

-

KEYCLOAK_REALM

The Keycloak realm used for authentication.

String

-

KEYCLOAK_API_CLIENT_ID

The client ID for the Apicurio Registry REST API.

String

registry-api

KEYCLOAK_UI_CLIENT_ID

The client ID for the Apicurio Registry web console.

String

apicurio-registry

Apicurio Registry authentication using HTTP basic

By default, Apicurio Registry supports authentication using OpenID Connect. Users (or API clients) must obtain an access token to make authenticated calls to the Apicurio Registry REST API. However, because some tools do not support OpenID Connect, you can also configure Apicurio Registry to support HTTP basic authentication by setting the following configuration option to true.
Table 6. Configuration for Apicurio Registry HTTP basic authentication
Environment variable Java system property Type Default value

CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED

registry.auth.basic-auth-client-credentials.enabled

Boolean

false

Apicurio Registry role-based authorization

You can set the following option to true to enable role-based authorization in Apicurio Registry:

Table 7. Configuration for Apicurio Registry role-based authorization
Environment variable Java system property Type Default value

ROLE_BASED_AUTHZ_ENABLED

registry.auth.role-based-authorization

Boolean

false

You can then configure role-based authorization to use roles included in the user’s authentication token (for example, granted when authenticating using Keycloak), or to use role mappings managed internally by Apicurio Registry.

Use roles assigned in Keycloak

To enable using roles assigned by Keycloak, set the following environment variables:

Table 8. Configuration for Apicurio Registry role-based authorization using Keycloak
Environment variable Description Type Default

ROLE_BASED_AUTHZ_SOURCE

When set to token, user roles are taken from the authentication token.

String

token

REGISTRY_AUTH_ROLES_ADMIN

The name of the role that indicates a user is an admin.

String

sr-admin

REGISTRY_AUTH_ROLES_DEVELOPER

The name of the role that indicates a user is a developer.

String

sr-developer

REGISTRY_AUTH_ROLES_READONLY

The name of the role that indicates a user has read-only access.

String

sr-readonly

When Apicurio Registry is configured to use roles from Keycloak, you must assign Apicurio Registry users to at least one of the following user roles in Keycloak. However, you can configure different user role names using the environment variables in Configuration for Apicurio Registry role-based authorization using Keycloak.

Table 9. Apicurio Registry roles for authentication and authorization
Role name Read artifacts Write artifacts Global rules Description

sr-admin

Yes

Yes

Yes

Full access to all create, read, update, and delete operations.

sr-developer

Yes

Yes

No

Access to create, read, update, and delete operations, except configuring global rules and import/export. This role can configure artifact rules only.

sr-readonly

Yes

No

No

Access to read and search operations only. This role cannot configure any rules.

Manage roles directly in Apicurio Registry

To enable using roles managed internally by Apicurio Registry, set the following environment variables:

Table 10. Configuration for Apicurio Registry role-based authorization using internal role mappings
Environment variable Description Type Default

ROLE_BASED_AUTHZ_SOURCE

When set to application, user roles are managed internally by Apicurio Registry.

String

token

When using internally managed role mappings, users can be assigned a role using the /admin/roleMappings endpoint in the Apicurio Registry REST API. For more details, see Apicurio Registry REST API documentation.

Users can be granted exactly one role: ADMIN, DEVELOPER, or READ_ONLY. Only users with admin privileges can grant access to other users.

Apicurio Registry admin-override configuration

Because there are no default admin users in Apicurio Registry, it is usually helpful to configure another way for users to be identified as admins. You can configure this admin-override feature using the following environment variables:

Table 11. Configuration for Apicurio Registry admin-override
Environment variable Description Type Default

REGISTRY_AUTH_ADMIN_OVERRIDE_ENABLED

Enables the admin-override feature.

String

false

REGISTRY_AUTH_ADMIN_OVERRIDE_FROM

Where to look for admin-override information. Only token is currently supported.

String

token

REGISTRY_AUTH_ADMIN_OVERRIDE_TYPE

The type of information used to determine if a user is an admin. Values depend on the value of the FROM variable, for example, role or claim when FROM is token.

String

role

REGISTRY_AUTH_ADMIN_OVERRIDE_ROLE

The name of the role that indicates a user is an admin.

String

sr-admin

REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM

The name of a JWT token claim to use for determining admin-override.

String

org-admin

REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM_VALUE

The value that the JWT token claim indicated by the CLAIM variable must be for the user to be granted admin-override.

String

true

For example, you can use this admin-override feature to assign the sr-admin role to a single user in Keycloak, which grants that user the admin role. That user can then use the /admin/roleMappings REST API (or associated UI) to grant roles to additional users (including additional admins).

Apicurio Registry owner-only authorization

You can set the following options to true to enable owner-only authorization for updates to artifacts or artifact groups in Apicurio Registry:

Table 12. Configuration for owner-only authorization
Environment variable Java system property Type Default value

REGISTRY_AUTH_OBAC_ENABLED

registry.auth.owner-only-authorization

Boolean

false

REGISTRY_AUTH_OBAC_LIMIT_GROUP_ACCESS

registry.auth.owner-only-authorization.limit-group-access

Boolean

false

When owner-only authorization is enabled, only the user who created an artifact can modify or delete that artifact.

When owner-only authorization and group owner-only authorization are both enabled, only the user who created an artifact group has write access to that artifact group, for example, to add or remove artifacts in that group.

Apicurio Registry authenticated read access

When the authenticated read access option is enabled, Apicurio Registry grants at least read-only access to requests from any authenticated user in the same organization, regardless of their user role.

To enable authenticated read access, you must first enable role-based authorization, and then set the following option to true:

Table 13. Configuration for authenticated read access
Environment variable Java system property Type Default value

REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED

registry.auth.authenticated-read-access.enabled

Boolean

false

Apicurio Registry anonymous read-only access

In addition to the two main types of authorization (role-based and owner-based authorization), Apicurio Registry supports an anonymous read-only access option.

To allow anonymous users, such as REST API calls with no authentication credentials, to make read-only calls to the REST API, set the following option to true:

Table 14. Configuration for anonymous read-only access
Environment variable Java system property Type Default value

REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED

registry.auth.anonymous-read-access.enabled

Boolean

false

Additional resources

Configuring the Apicurio Registry web console

You can configure the Apicurio Registry web console specifically for your deployment environment or to customize its behavior. This section provides details on how to configure optional environment variables for the Apicurio Registry web console.

Prerequisites
  • You have already installed Apicurio Registry.

Configuring the web console deployment environment

When a user navigates their browser to the Apicurio Registry web console, some initial configuration settings are loaded. Two important configuration properties are:

  • URL for core Apicurio Registry server REST API

  • URL for Apicurio Registry web console client

Typically, Apicurio Registry automatically detects and generates these settings, but there are some deployment environments where this automatic detection can fail. If this happens, you can configure environment variables to explicitly set these URLs for your environment.

Procedure

Configure the following environment variables to override the default URLs:

  • REGISTRY_UI_CONFIG_APIURL: Specifies the URL for the core Apicurio Registry server REST API. For example, https://registry.my-domain.com/apis/registry

  • REGISTRY_UI_CONFIG_UIURL: Specifies the URL for the Apicurio Registry web console client. For example, https://registry.my-domain.com/ui

Configuring the web console in read-only mode

You can configure the Apicurio Registry web console in read-only mode as an optional feature. This mode disables all features in the Apicurio Registry web console that allow users to make changes to registered artifacts. For example, this includes the following:

  • Creating an artifact

  • Uploading a new version of an artifact

  • Updating an artifact’s metadata

  • Deleting an artifact

Procedure

Configure the following environment variable:

  • REGISTRY_UI_FEATURES_READONLY: Set to true to enable read-only mode. Defaults to false.

Configuring Apicurio Registry logging

You can set Apicurio Registry logging configuration at runtime. Apicurio Registry provides a REST endpoint to set the log level for specific loggers for finer grained logging. This section explains how to view and set Apicurio Registry log levels at runtime using the Apicurio Registry /admin REST API.

Prerequisites
  • Get the URL to access your Apicurio Registry instance, or get your Apicurio Registry route if you have Apicurio Registry deployed on OpenShift. This simple example uses a URL of localhost:8080.

Procedure
  1. Use this curl command to obtain the current log level for the logger io.apicurio.registry.storage:

    $ curl -i localhost:8080/apis/registry/v2/admin/loggers/io.apicurio.registry.storage
    HTTP/1.1 200 OK
    [...]
    Content-Type: application/json
    {"name":"io.apicurio.registry.storage","level":"INFO"}
  2. Use this curl command to change the log level for the logger io.apicurio.registry.storage to DEBUG:

    $ curl -X PUT -i -H "Content-Type: application/json" --data '{"level":"DEBUG"}' localhost:8080/apis/registry/v2/admin/loggers/io.apicurio.registry.storage
    HTTP/1.1 200 OK
    [...]
    Content-Type: application/json
    {"name":"io.apicurio.registry.storage","level":"DEBUG"}
  3. Use this curl command to revert the log level for the logger io.apicurio.registry.storage to its default value:

    $ curl -X DELETE -i localhost:8080/apis/registry/v2/admin/loggers/io.apicurio.registry.storage
    HTTP/1.1 200 OK
    [...]
    Content-Type: application/json
    {"name":"io.apicurio.registry.storage","level":"INFO"}

Configuring Apicurio Registry event sourcing

You can configure Apicurio Registry to send events when changes are made to the registry. For example, Apicurio Registry can trigger events when schema and API artifacts are created, updated, deleted, and so on. You can configure Apicurio Registry to send events to your applications and to third-party integrations in this way.

There are different protocols available for transporting the events. The currently implemented protocols are HTTP and Apache Kafka. However, regardless of the protocol, the events are sent using the CNCF CloudEvents specification.

All of the event types are defined in io.apicurio.registry.events.dto.RegistryEventType. For example, the event types include:

  • io.apicurio.registry.artifact-created

  • io.apicurio.registry.artifact-updated

  • io.apicurio.registry.artifact-rule-created

  • io.apicurio.registry.global-rule-created

You can configure cloud events in Apicurio Registry using Java system properties or equivalent environment variables.

Prerequisites
  • You must have an application that you want to send Apicurio Registry cloud events to. For example, this can be a custom application or a third-party application.

Configuring Apicurio Registry event sourcing using HTTP

The example in this section shows a custom application running at http://my-app-host:8888/events.

Procedure
  1. When using the HTTP protocol, set your Apicurio Registry configuration to send events to a your application as follows:

    • registry.events.sink.my-custom-consumer=http://my-app-host:8888/events

  2. If required, you can configure multiple event consumers as follows:

    • registry.events.sink.my-custom-consumer=http://my-app-host:8888/events

    • registry.events.sink.other-consumer=http://my-consumer.com/events

Configuring Apicurio Registry event sourcing using Apache Kafka

The example in this section shows a Kafka topic named my-registry-events running on my-kafka-host:9092.

Procedure
  1. When using the Kafka protocol, set your Kafka topic as follows:

    • registry.events.kafka.topic=my-registry-events

  2. You can set the configuration for the Kafka producer using the KAFKA_BOOTSTRAP_SERVERS environment variable:

    • KAFKA_BOOTSTRAP_SERVERS=my-kafka-host:9092

      Alternatively, you can set the properties for the kafka producer using the registry.events.kafka.config prefix, for example: registry.events.kafka.config.bootstrap.servers=my-kafka-host:9092

  3. If required, you can also set the Kafka topic partition to use to produce events:

    • registry.events.kafka.topic-partition=1

Additional resources

Configuring Apicurio Registry health checks on OpenShift

You can configure optional environment variables for liveness and readiness probes to monitor the health of the Apicurio Registry server on OpenShift:

  • Liveness probes test if the application can make progress. If the application cannot make progress, OpenShift automatically restarts the failing Pod.

  • Readiness probes test if the application is ready to process requests. If the application is not ready, it can become overwhelmed by requests, and OpenShift stops sending requests for the time that the probe fails. If other Pods are OK, they continue to receive requests.

The default values of the liveness and readiness environment variables are designed for most cases and should only be changed if required by your environment. Any changes to the defaults depend on your hardware, network, and amount of data stored. These values should be kept as low as possible to avoid unnecessary overhead.
Prerequisites
  • You must have an OpenShift cluster with cluster administrator access.

  • You must have already installed Apicurio Registry on OpenShift.

  • You must have already installed and configured your chosen Apicurio Registry storage in Strimzi or PostgreSQL.

Procedure
  1. In the OpenShift Container Platform web console, log in using an account with cluster administrator privileges.

  2. Click Installed Operators > Apicurio Registry.

  3. On the ApicurioRegistry tab, click the Operator custom resource for your deployment, for example, example-apicurioregistry.

  4. In the main overview page, find the Deployment Name section and the corresponding DeploymentConfig name for your Apicurio Registry deployment, for example, example-apicurioregistry.

  5. In the left navigation menu, click Workloads > Deployment Configs, and select your DeploymentConfig name.

  6. Click the Environment tab, and enter your environment variables in the Single values env section, for example:

    • NAME: LIVENESS_STATUS_RESET

    • VALUE: 350

  7. Click Save at the bottom.

    Alternatively, you can perform these steps using the OpenShift oc command. For more details, see the OpenShift CLI documentation.

Environment variables for Apicurio Registry health checks

This section describes the available environment variables for Apicurio Registry health checks on OpenShift. These include liveness and readiness probes to monitor the health of the Apicurio Registry server on OpenShift. For an example procedure, see Configuring Apicurio Registry health checks on OpenShift.

The following environment variables are provided for reference only. The default values are designed for most cases and should only be changed if required by your environment. Any changes to the defaults depend on your hardware, network, and amount of data stored. These values should be kept as low as possible to avoid unnecessary overhead.

Liveness environment variables

Table 15. Environment variables for Apicurio Registry liveness probes
Name Description Type Default

LIVENESS_ERROR_THRESHOLD

Number of liveness issues or errors that can occur before the liveness probe fails.

Integer

1

LIVENESS_COUNTER_RESET

Period in which the threshold number of errors must occur. For example, if this value is 60 and the threshold is 1, the check fails after two errors occur in 1 minute

Seconds

60

LIVENESS_STATUS_RESET

Number of seconds that must elapse without any more errors for the liveness probe to reset to OK status.

Seconds

300

LIVENESS_ERRORS_IGNORED

Comma-separated list of ignored liveness exceptions.

String

io.grpc.StatusRuntimeException,org.apache.kafka.streams.errors.InvalidStateStoreException

Because OpenShift automatically restarts a Pod that fails a liveness check, the liveness settings, unlike readiness settings, do not directly affect behavior of Apicurio Registry on OpenShift.

Readiness environment variables

Table 16. Environment variables for Apicurio Registry readiness probes
Name Description Type Default

READINESS_ERROR_THRESHOLD

Number of readiness issues or errors that can occur before the readiness probe fails.

Integer

1

READINESS_COUNTER_RESET

Period in which the threshold number of errors must occur. For example, if this value is 60 and the threshold is 1, the check fails after two errors occur in 1 minute.

Seconds

60

READINESS_STATUS_RESET

Number of seconds that must elapse without any more errors for the liveness probe to reset to OK status. In this case, this means how long the Pod stays not ready, until it returns to normal operation.

Seconds

300

READINESS_TIMEOUT

Readiness tracks the timeout of two operations:

  • How long it takes for storage requests to complete

  • How long it takes for HTTP REST API requests to return a response

If these operations take more time than the configured timeout, this is counted as a readiness issue or error. This value controls the timeouts for both operations.

Seconds

5

All the available Apicurio Registry configuration options

This section contains a list of the configuration options available for Apicurio Registry.

Category api:

Table 17. Category api configuration options
Name Type Default Available from Description

registry.api.errors.include-stack-in-response

boolean

false

2.1.4.Final

Include stack trace in errors responses

registry.disable.apis

optional<list<string>>

2.0.0.Final

Disable APIs

Category auth:

Table 18. Category auth configuration options
Name Type Default Available from Description

quarkus.oidc.client-id

string

2.0.0.Final

OIDC client ID

registry.auth.admin-override.claim

string

org-admin

2.1.0.Final

Auth admin override claim

registry.auth.admin-override.claim-value

string

true

2.1.0.Final

Auth admin override claim value

registry.auth.admin-override.enabled

boolean

false

2.1.0.Final

Auth admin override enabled

registry.auth.admin-override.from

string

token

2.1.0.Final

Auth admin override from

registry.auth.admin-override.role

string

sr-admin

2.1.0.Final

Auth admin override role

registry.auth.admin-override.type

string

role

2.1.0.Final

Auth admin override type

registry.auth.anonymous-read-access.enabled

boolean [dynamic]

false

2.1.0.Final

Anonymous read access

registry.auth.authenticated-read-access.enabled

boolean [dynamic]

false

2.1.4.Final

Authenticated read access

registry.auth.basic-auth-client-credentials.enabled

boolean [dynamic]

false

2.1.0.Final

Enable basic auth client credentials

registry.auth.client-secret

optional<string>

2.1.0.Final

Auth client secret

registry.auth.enabled

boolean

false

2.0.0.Final

Enable authentication

registry.auth.owner-only-authorization

boolean [dynamic]

false

2.0.0.Final

Artifact owner-only authorization

registry.auth.owner-only-authorization.limit-group-access

boolean [dynamic]

false

2.1.0.Final

Artifact group owner-only authorization

registry.auth.role-based-authorization

boolean

false

2.1.0.Final

Enable role based authorization

registry.auth.role-source

string

token

2.1.0.Final

Auth roles source

registry.auth.roles.admin

string

sr-admin

2.0.0.Final

Auth roles admin

registry.auth.roles.developer

string

sr-developer

2.1.0.Final

Auth roles developer

registry.auth.roles.readonly

string

sr-readonly

2.1.0.Final

Auth roles readonly

registry.auth.tenant-owner-is-admin.enabled

boolean

true

2.1.0.Final

Auth tenant owner admin enabled

registry.auth.token.endpoint

string

2.1.0.Final

Auth token endpoint

Category cache:

Table 19. Category cache configuration options
Name Type Default Available from Description

registry.config.cache.enabled

boolean

true

2.2.2.Final

Registry cache enabled

Category ccompat:

Table 20. Category ccompat configuration options
Name Type Default Available from Description

registry.ccompat.legacy-id-mode.enabled

boolean [dynamic]

false

2.0.2.Final

Legacy ID mode (compatibility API)

registry.ccompat.max-subjects

integer [dynamic]

1000

2.4.2.Final

Maximum number of Subjects returned (compatibility API)

registry.ccompat.use-canonical-hash

boolean [dynamic]

false

2.3.0.Final

Canonical hash mode (compatibility API)

Category download:

Table 21. Category download configuration options
Name Type Default Available from Description

registry.download.href.ttl

long [dynamic]

30

2.1.2.Final

Download link expiry

Category events:

Table 22. Category events configuration options
Name Type Default Available from Description

registry.events.ksink

optional<string>

2.0.0.Final

Events Kafka sink enabled

Category health:

Table 23. Category health configuration options
Name Type Default Available from Description

registry.liveness.errors.ignored

optional<list<string>>

1.2.3.Final

Ignored liveness errors

registry.metrics.PersistenceExceptionLivenessCheck.counterResetWindowDurationSec

integer

60

1.0.2.Final

Counter reset window duration of persistence liveness check

registry.metrics.PersistenceExceptionLivenessCheck.disableLogging

boolean

false

2.0.0.Final

Disable logging of persistence liveness check

registry.metrics.PersistenceExceptionLivenessCheck.errorThreshold

integer

1

1.0.2.Final

Error threshold of persistence liveness check

registry.metrics.PersistenceExceptionLivenessCheck.statusResetWindowDurationSec

integer

300

1.0.2.Final

Status reset window duration of persistence liveness check

registry.metrics.PersistenceTimeoutReadinessCheck.counterResetWindowDurationSec

integer

60

1.0.2.Final

Counter reset window duration of persistence readiness check

registry.metrics.PersistenceTimeoutReadinessCheck.errorThreshold

integer

5

1.0.2.Final

Error threshold of persistence readiness check

registry.metrics.PersistenceTimeoutReadinessCheck.statusResetWindowDurationSec

integer

300

1.0.2.Final

Status reset window duration of persistence readiness check

registry.metrics.PersistenceTimeoutReadinessCheck.timeoutSec

integer

15

1.0.2.Final

Timeout of persistence readiness check

registry.metrics.ResponseErrorLivenessCheck.counterResetWindowDurationSec

integer

60

1.0.2.Final

Counter reset window duration of response liveness check

registry.metrics.ResponseErrorLivenessCheck.disableLogging

boolean

false

2.0.0.Final

Disable logging of response liveness check

registry.metrics.ResponseErrorLivenessCheck.errorThreshold

integer

1

1.0.2.Final

Error threshold of response liveness check

registry.metrics.ResponseErrorLivenessCheck.statusResetWindowDurationSec

integer

300

1.0.2.Final

Status reset window duration of response liveness check

registry.metrics.ResponseTimeoutReadinessCheck.counterResetWindowDurationSec

integer

60

1.0.2.Final

Counter reset window duration of response readiness check

registry.metrics.ResponseTimeoutReadinessCheck.errorThreshold

integer

1

1.0.2.Final

Error threshold of response readiness check

registry.metrics.ResponseTimeoutReadinessCheck.statusResetWindowDurationSec

integer

300

1.0.2.Final

Status reset window duration of response readiness check

registry.metrics.ResponseTimeoutReadinessCheck.timeoutSec

integer

10

1.0.2.Final

Timeout of response readiness check

registry.storage.metrics.cache.check-period

long

30000

2.1.0.Final

Storage metrics cache check period

Category import:

Table 24. Category import configuration options
Name Type Default Available from Description

registry.import.url

optional<url>

2.1.0.Final

The import URL

Category kafka:

Table 25. Category kafka configuration options
Name Type Default Available from Description

registry.events.kafka.topic

optional<string>

2.0.0.Final

Events Kafka topic

registry.events.kafka.topic-partition

optional<integer>

2.0.0.Final

Events Kafka topic partition

Category limits:

Table 26. Category limits configuration options
Name Type Default Available from Description

registry.limits.config.cache.check-period

long

30000

2.1.0.Final

Cache check period limit

registry.limits.config.max-artifact-labels

long

-1

2.2.3.Final

Max artifact labels

registry.limits.config.max-artifact-properties

long

-1

2.1.0.Final

Max artifact properties

registry.limits.config.max-artifacts

long

-1

2.1.0.Final

Max artifacts

registry.limits.config.max-description-length

long

-1

2.1.0.Final

Max artifact description length

registry.limits.config.max-label-size

long

-1

2.1.0.Final

Max artifact label size

registry.limits.config.max-name-length

long

-1

2.1.0.Final

Max artifact name length

registry.limits.config.max-property-key-size

long

-1

2.1.0.Final

Max artifact property key size

registry.limits.config.max-property-value-size

long

-1

2.1.0.Final

Max artifact property value size

registry.limits.config.max-requests-per-second

long

-1

2.2.3.Final

Max artifact requests per second

registry.limits.config.max-schema-size-bytes

long

-1

2.2.3.Final

Max schema size (bytes)

registry.limits.config.max-total-schemas

long

-1

2.1.0.Final

Max total schemas

registry.limits.config.max-versions-per-artifact

long

-1

2.1.0.Final

Max versions per artifacts

Category log:

Table 27. Category log configuration options
Name Type Default Available from Description

quarkus.log.level

string

2.0.0.Final

Log level

Category mt:

Table 28. Category mt configuration options
Name Type Default Available from Description

registry.enable.multitenancy

boolean

false

2.0.0.Final

Enable multitenancy

registry.multitenancy.authorization.enabled

boolean

true

2.1.0.Final

Enable multitenancy authorization

registry.multitenancy.reaper.every

optional<string>

2.1.0.Final

Multitenancy reaper every

registry.multitenancy.reaper.max-tenants-reaped

int

100

2.1.0.Final

Multitenancy reaper max tenants reaped

registry.multitenancy.reaper.period-seconds

long

10800

2.1.0.Final

Multitenancy reaper period seconds

registry.multitenancy.types.context-path.base-path

string

t

2.1.0.Final

Multitenancy context path type base path

registry.multitenancy.types.context-path.enabled

boolean

true

2.1.0.Final

Enable multitenancy context path type

registry.multitenancy.types.request-header.enabled

boolean

true

2.1.0.Final

Enable multitenancy request header type

registry.multitenancy.types.request-header.name

string

X-Registry-Tenant-Id

2.1.0.Final

Multitenancy request header type name

registry.multitenancy.types.subdomain.enabled

boolean

false

2.1.0.Final

Enable multitenancy subdomain type

registry.multitenancy.types.subdomain.header-name

string

Host

2.1.0.Final

Multitenancy subdomain type header name

registry.multitenancy.types.subdomain.location

string

header

2.1.0.Final

Multitenancy subdomain type location

registry.multitenancy.types.subdomain.pattern

string

(\w[\w\d\-]*)\.localhost\.local

2.1.0.Final

Multitenancy subdomain type pattern

registry.organization-id.claim-name

list<string>

2.1.0.Final

Organization ID claim name

registry.tenant.manager.auth.client-id

optional<string>

2.1.0.Final

Tenant manager auth client ID

registry.tenant.manager.auth.client-secret

optional<string>

2.1.0.Final

Tenant manager auth client secret

registry.tenant.manager.auth.enabled

optional<boolean>

2.1.0.Final

Tenant manager auth enabled

registry.tenant.manager.auth.token.expiration.reduction.ms

optional<long>

2.2.0.Final

Tenant manager auth token expiration reduction ms

registry.tenant.manager.auth.url.configured

optional<string>

2.1.0.Final

Tenant manager auth url configured

registry.tenant.manager.ssl.ca.path

optional<string>

2.2.0.Final

Tenant manager SSL Ca path

registry.tenant.manager.url

optional<string>

2.0.0.Final

Tenant manager URL

registry.tenants.context.cache.check-period

long

60000

2.1.0.Final

Tenants context cache check period

Category redirects:

Table 29. Category redirects configuration options
Name Type Default Available from Description

registry.enable-redirects

boolean

2.1.2.Final

Enable redirects

registry.redirects

map<string, string>

2.1.2.Final

Registry redirects

Category rest:

Table 30. Category rest configuration options
Name Type Default Available from Description

registry.rest.artifact.download.maxSize

int

1000000

2.2.6-SNAPSHOT

Max size of the artifact allowed to be downloaded from URL

registry.rest.artifact.download.skipSSLValidation

boolean

false

2.2.6-SNAPSHOT

Skip SSL validation when downloading artifacts from URL

Category store:

Table 31. Category store configuration options
Name Type Default Available from Description

quarkus.datasource.db-kind

string

postgresql

2.0.0.Final

Datasource Db kind

quarkus.datasource.jdbc.url

string

2.1.0.Final

Datasource jdbc URL

registry.sql.init

boolean

true

2.0.0.Final

SQL init

Category ui:

Table 32. Category ui configuration options
Name Type Default Available from Description

quarkus.oidc.tenant-enabled

boolean

false

2.0.0.Final

UI OIDC tenant enabled

registry.ui.config.apiUrl

string

1.3.0.Final

UI APIs URL

registry.ui.config.auth.oidc.client-id

string

none

2.2.6.Final

UI auth OIDC client ID

registry.ui.config.auth.oidc.redirect-url

string

none

2.2.6.Final

UI auth OIDC redirect URL

registry.ui.config.auth.oidc.url

string

none

2.2.6.Final

UI auth OIDC URL

registry.ui.config.auth.type

string

none

2.2.6.Final

UI auth type

registry.ui.config.uiContextPath

string

/ui/

2.1.0.Final

UI context path

registry.ui.features.readOnly

boolean [dynamic]

false

1.2.0.Final

UI read-only mode

registry.ui.features.settings

boolean

false

2.2.2.Final

UI features settings

registry.ui.root

string

2.3.0.Final

Overrides the UI root context (useful when relocating the UI context using an inbound proxy)