Configuring Apicurio Registry security options
This chapter explains how to set configuration options for Apicurio Registry security. For example, this includes authentication in Keycloak or Microsoft Azure Active Directory and role-based authorization in Apicurio Registry.
For a list of all available configuration options, see Apicurio Registry configuration reference. |
Configuring Apicurio Registry authentication and authorization with Keycloak
This section explains how to manually configure authentication and authorization options for Apicurio Registry and Keycloak.
Alternatively, for details on how to configure these settings automatically, see the Apicurio Registry Operator documentation. |
The Apicurio Registry web console and core REST API support authentication in Keycloak based on OAuth and OpenID Connect (OIDC). The same Keycloak realm and users are federated across the Apicurio Registry web console and core REST API using OpenID Connect so that you only require one set of credentials.
Apicurio Registry provides role-based authorization for default admin, write, and read-only user roles. Apicurio Registry provides content-based authorization at the schema or API level, where only the creator of the registry artifact can update or delete it. Apicurio Registry authentication and authorization settings are disabled by default.
-
Keycloak is installed and running. For more details, see the Keycloak user documentation.
-
Apicurio Registry is installed and running.
-
In the Keycloak Admin Console, create a Keycloak realm for Apicurio Registry. By default, Apicurio Registry expects a realm name of
registry
. For details on creating realms, see the Keycloak user documentation. -
Create a Keycloak client for the Apicurio Registry API. By default, Apicurio Registry expects the following settings:
-
Client ID:
registry-api
-
Client Protocol:
openid-connect
-
Access Type:
bearer-only
You can use the defaults for the other client settings.
If you are using Keycloak service accounts, the client Access Type must be confidential
instead ofbearer-only
.
-
-
Create a Keycloak client for the Apicurio Registry web console. By default, Apicurio Registry expects the following settings:
-
Client ID:
apicurio-registry
-
Client Protocol:
openid-connect
-
Access Type:
public
-
Valid Redirect URLs:
http://my-registry-url:8080/*
-
Web Origins:
+
You can use the defaults for the other client settings.
-
-
In your Apicurio Registry deployment on OpenShift, set the following Apicurio Registry environment variables to configure authentication using Keycloak:
Table 1. Configuration for Apicurio Registry authentication with Keycloak Environment variable Description Type Default QUARKUS_OIDC_TENANT_ENABLED
Enables authentication for Apicurio Registry. When set to
true
, the environment variables that follow are required for authentication using Keycloak.String
false
QUARKUS_OIDC_AUTH_SERVER_URL
The URL of the Keycloak authentication server. For example,
http://localhost:8080
.String
-
QUARKUS_OIDC_CLIENT_ID
The client ID for the Apicurio Registry REST API.
String
registry-api
APICURIO_UI_AUTH_OIDC_CLIENT_ID
The client ID for the Apicurio Registry web console.
String
apicurio-registry
For an example of setting environment variables on OpenShift, see [configuring-liveness-readiness-probes_registry]. -
Set the following option to
true
to enable Apicurio Registry user roles in Keycloak:Table 2. Configuration for Apicurio Registry role-based authorization Environment variable Java system property Type Default value APICURIO_AUTH_ROLE_BASED_AUTHORIZATION
apicurio.auth.role-based-authorization
Boolean
false
-
When Apicurio Registry user roles are enabled, you must assign Apicurio Registry users to at least one of the following default user roles in your Keycloak realm:
Table 3. Default user roles for registry authentication and authorization Role Read artifacts Write artifacts Global rules Summary sr-admin
Yes
Yes
Yes
Full access to all create, read, update, and delete operations.
sr-developer
Yes
Yes
No
Access to create, read, update, and delete operations, except configuring global rules. This role can configure artifact-specific rules.
sr-readonly
Yes
No
No
Access to read and search operations only. This role cannot configure any rules.
-
Set the following to
true
to enable owner-only authorization for updates to schema and API artifacts in Apicurio Registry:Table 4. Configuration for owner-only authorization Environment variable Java system property Type Default value APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION
apicurio.auth.owner-only-authorization
Boolean
false
-
For details on configuring non-default user role names, see Apicurio Registry authentication and authorization configuration options.
-
For an open source example application and Keycloak realm, see Docker Compose example of Apicurio Registry with Keycloak.
-
For details on how to use Keycloak in a production environment, see the Keycloak documentation.
Configuring Apicurio Registry authentication and authorization with Microsoft Azure Active Directory
This section explains how to manually configure authentication and authorization options for Apicurio Registry and Microsoft Azure Active Directory (Azure AD).
The Apicurio Registry web console and core REST API support authentication in Azure AD based on OpenID Connect (OIDC) and the OAuth Authorization Code Flow. Apicurio Registry provides role-based authorization for default admin, write, and read-only user roles. Apicurio Registry authentication and authorization settings are disabled by default.
To secure Apicurio Registry with Azure AD, you require a valid directory in Azure AD with specific configuration. This involves registering the Apicurio Registry application in the Azure AD portal with recommended settings and configuring environment variables in Apicurio Registry.
-
Azure AD is installed and running. For more details, see the Microsoft Azure AD user documentation.
-
Apicurio Registry is installed and running.
-
Log in to the Azure AD portal using your email address or GitHub account.
-
In the navigation menu, select Manage > App registrations > New registration, and complete the following settings:
-
Name: Enter your application name. For example:
apicurio-registry-example
-
Supported account types: Click Accounts in any organizational directory.
-
Redirect URI: Select Single-page application from the list, and enter your Apicurio Registry web console application host. For example:
https://test-registry.com/ui/
You must register your Apicurio Registry application host as a Redirect URI. When logging in, users are redirected from Apicurio Registry to Azure AD for authentication, and you want to send them back to your application afterwards. Azure AD does not allow any redirect URLs that are not registered.
-
-
Click Register. You can view your app registration details by selecting Manage > App registrations > apicurio-registry-example.
-
Select Manage > Authentication and ensure that the application is configured with your redirect URLs and tokens as follows:
-
Redirect URIs: For example:
https://test-registry.com/ui/
-
Implicit grant and hybrid flows: Click ID tokens (used for implicit and hybrid flows)
-
-
Select Azure AD > Admin > App registrations > Your app > Application (client) ID. For example:
123456a7-b8c9-012d-e3f4-5fg67h8i901
-
Select Azure AD > Admin > App registrations > Your app > Directory (tenant) ID. For example:
https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0
-
In Apicurio Registry, configure the following environment variables with your Azure AD settings:
Table 5. Configuration for Azure AD settings in Apicurio Registry Environment variable Description Setting QUARKUS_OIDC_CLIENT_ID
The client application ID for the Apicurio Registry REST API
Your Azure AD Application (client) ID obtained in step 5. For example:
123456a7-b8c9-012d-e3f4-5fg67h8i901
APICURIO_OIDC_UI_CLIENT_ID
The client application ID for the Apicurio Registry web console.
Your Azure AD Application (client) ID obtained in step 5. For example:
123456a7-b8c9-012d-e3f4-5fg67h8i901
QUARKUS_OIDC_AUTH_SERVER_URL
The URL for authentication in Azure AD.
Your Azure AD Application (tenant) ID obtained in step 6. For example:
https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0
. -
In Apicurio Registry, configure the following environment variables for Apicurio Registry-specific settings:
Table 6. Configuration for Apicurio Registry-specific settings Environment variable Description Setting QUARKUS_OIDC_TENANT_ENABLED
Enables authentication for Apicurio Registry.
true
APICURIO_UI_AUTH_TYPE
The Apicurio Registry authentication type.
oidc
QUARKUS_HTTP_CORS_ORIGINS
The host for your Apicurio Registry deployment for cross-origin resource sharing (CORS).
For example:
https://test-registry.com
APICURIO_OIDC_UI_REDIRECT_URL
The host for your Apicurio Registry web console.
For example:
https://test-registry.com/ui
APICURIO_AUTH_ROLE_BASED_AUTHORIZATION
Enables role-based authorization in Apicurio Registry.
true
QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH
The name of the claim in which Azure AD stores roles.
roles
When you enable roles in Apicurio Registry, you must also create the same roles in Azure AD as application roles. The default roles expected by Apicurio Registry are sr-admin
,sr-developer
, andsr-readonly
.
-
For details on configuring non-default user role names, see Apicurio Registry authentication and authorization configuration options.
-
For more details on using Azure AD, see the Microsoft Azure AD user documentation.
Apicurio Registry authentication and authorization configuration options
Apicurio Registry provides authentication options for OpenID Connect with Keycloak and HTTP basic authentication.
Apicurio Registry provides authorization options for role-based and content-based approaches:
-
Role-based authorization for default admin, write, and read-only user roles.
-
Content-based authorization for schema or API artifacts, where only the owner of the artifacts or artifact group can update or delete artifacts.
All authentication and authorization options in Apicurio Registry are disabled by default. Before enabling any of these options, you must first set the QUARKUS_OIDC_TENANT_ENABLED option to true .
|
This chapter provides details on the following configuration options:
Apicurio Registry authentication by using OpenID Connect with Keycloak
You can set the following environment variables to configure authentication for the Apicurio Registry web console and API with Keycloak:
Environment variable | Description | Type | Default |
---|---|---|---|
|
Enables authentication for Apicurio Registry. When set to |
String |
|
|
The URL of the Keycloak authentication server. For example, |
String |
- |
|
The client ID for the Apicurio Registry REST API. |
String |
|
|
The client ID for the Apicurio Registry web console. |
String |
|
Apicurio Registry authentication by using HTTP basic
By default, Apicurio Registry supports authentication by using OpenID Connect. Users or API clients must obtain an access token to make authenticated calls to the Apicurio Registry REST API. However, because some tools do not support OpenID Connect, you can also configure Apicurio Registry to support HTTP basic authentication by setting the following configuration options to true
:
Environment variable | Java system property | Type | Default value |
---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
Apicurio Registry HTTP basic client credentials cache expiry
You can also configure the HTTP basic client credentials cache expiry time. By default, when using HTTP basic authentication, Apicurio Registry caches JWT tokens, and does not issue a new token when there is no need. You can configure the cache expiry time for JWT tokens, which is set to 10 mins by default.
When using Keycloak, it is best to set this configuration to your Keycloak JWT expiry time minus one minute. For example, if you have the expiry time set to 5
mins in Keycloak, you should set the following configuration option to 4
mins:
Environment variable | Java system property | Type | Default value |
---|---|---|---|
|
|
Integer |
|
Apicurio Registry role-based authorization
You can set the following options to true
to enable role-based authorization in Apicurio Registry:
Environment variable | Java system property | Type | Default value |
---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
You can then configure role-based authorization to use roles included in the user’s authentication token (for example, granted when authenticating by using Keycloak), or to use role mappings managed internally by Apicurio Registry.
Use roles assigned in Keycloak
To enable using roles assigned by Keycloak, set the following environment variables:
Environment variable | Description | Type | Default |
---|---|---|---|
|
When set to |
String |
|
|
The name of the role that indicates a user is an admin. |
String |
|
|
The name of the role that indicates a user is a developer. |
String |
|
|
The name of the role that indicates a user has read-only access. |
String |
|
When Apicurio Registry is configured to use roles from Keycloak, you must assign Apicurio Registry users to at least one of the following user roles in Keycloak. However, you can configure different user role names by using the environment variables in Configuration for Apicurio Registry role-based authorization by using Keycloak.
Role name | Read artifacts | Write artifacts | Global rules | Description |
---|---|---|---|---|
|
Yes |
Yes |
Yes |
Full access to all create, read, update, and delete operations. |
|
Yes |
Yes |
No |
Access to create, read, update, and delete operations, except configuring global rules and import/export. This role can configure artifact-specific rules only. |
|
Yes |
No |
No |
Access to read and search operations only. This role cannot configure any rules. |
Manage roles directly in Apicurio Registry
To enable using roles managed internally by Apicurio Registry, set the following environment variable:
Environment variable | Description | Type | Default |
---|---|---|---|
|
When set to |
String |
|
When using internally managed role mappings, users can be assigned a role by using the /admin/roleMappings
endpoint in the Apicurio Registry REST API. For more details, see Apicurio Registry REST API documentation.
Users can be granted exactly one role: ADMIN
, DEVELOPER
, or READ_ONLY
. Only users with admin
privileges can grant access to other users.
Apicurio Registry admin-override configuration
Because there are no default admin users in Apicurio Registry, it is usually helpful to configure another way for users to be identified as admins. You can configure this admin-override feature by using the following environment variables:
Environment variable | Description | Type | Default |
---|---|---|---|
|
Enables the admin-override feature. |
String |
|
|
Where to look for admin-override information. Only |
String |
|
|
The type of information used to determine if a user is an admin. Values depend on the value of the FROM variable, for example, |
String |
|
|
The name of the role that indicates a user is an admin. |
String |
|
|
The name of a JWT token claim to use for determining admin-override. |
String |
|
|
The value that the JWT token claim indicated by the CLAIM variable must be for the user to be granted admin-override. |
String |
|
For example, you can use this admin-override feature to assign the sr-admin
role to a single user
in Keycloak, which grants that user the admin role. That user can then use the /admin/roleMappings
REST API (or associated UI) to grant roles to additional users (including additional admins).
Apicurio Registry owner-only authorization
You can set the following options to true
to enable owner-only authorization for updates to artifacts or artifact groups in Apicurio Registry:
Environment variable | Java system property | Type | Default value |
---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
|
|
Boolean |
|
When owner-only authorization is enabled, only the user who created an artifact can modify or delete that artifact.
When owner-only authorization and group owner-only authorization are both enabled, only the user who created an artifact group has write access to that artifact group, for example, to add or remove artifacts in that group.
Apicurio Registry authenticated read access
When the authenticated read access option is enabled, Apicurio Registry grants at least read-only access to requests from any authenticated user in the same organization, regardless of their user role.
To enable authenticated read access, you must first enable role-based authorization, and then ensure that the following options are set to true
:
Environment variable | Java system property | Type | Default value |
---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
For more details, see Apicurio Registry role-based authorization.
Apicurio Registry anonymous read-only access
In addition to the two main types of authorization (role-based and owner-based authorization), Apicurio Registry supports an anonymous read-only access option.
To allow anonymous users, such as REST API calls with no authentication credentials, to make read-only
calls to the REST API, set the following options to true
:
Environment variable | Java system property | Type | Default value |
---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
-
For an example of how to set environment variables in your Apicurio Registry deployment on OpenShift, see [configuring-liveness-readiness-probes_registry]
-
For details on configuring custom authentication for Apicurio Registry, the see Quarkus Open ID Connect documentation