{registry} provides authentication options for OpenID Connect with {keycloak} and HTTP basic authentication.
{registry} provides authorization options for role-based and content-based approaches:
-
Role-based authorization for default admin, write, and read-only user roles.
-
Content-based authorization for schema or API artifacts, where only the owner of the artifacts or artifact group can update or delete artifacts.
|
Important
|
All authentication and authorization options in {registry} are disabled by default. Before enabling any of these options, you must first set the AUTH_ENABLED option to true.
|
This chapter provides details on the following configuration options:
You can set the following environment variables to configure authentication for the {registry} web console and API with {keycloak}:
| Environment variable | Description | Type | Default |
|---|---|---|---|
|
Enables authentication for {registry}. When set to |
String |
|
|
The URL of the {keycloak} authentication server. For example, |
String |
- |
|
The {keycloak} realm for authentication. For example, |
String |
- |
|
The client ID for the {registry} REST API. |
String |
|
|
The client ID for the {registry} web console. |
String |
|
By default, {registry} supports authentication by using OpenID Connect. Users or API clients must obtain an access token to make authenticated calls to the {registry} REST API. However, because some tools do not support OpenID Connect, you can also configure {registry} to support HTTP basic authentication by setting the following configuration options to true:
| Environment variable | Java system property | Type | Default value |
|---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
You can also configure the HTTP basic client credentials cache expiry time. By default, when using HTTP basic authentication, {registry} caches JWT tokens, and does not issue a new token when there is no need. You can configure the cache expiry time for JWT tokens, which is set to 10 mins by default.
When using {keycloak}, it is best to set this configuration to your {keycloak} JWT expiry time minus one minute. For example, if you have the expiry time set to 5 mins in {keycloak}, you should set the following configuration option to 4 mins:
| Environment variable | Java system property | Type | Default value |
|---|---|---|---|
|
|
Integer |
|
You can set the following options to true to enable role-based authorization in {registry}:
| Environment variable | Java system property | Type | Default value |
|---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
You can then configure role-based authorization to use roles included in the user’s authentication token (for example, granted when authenticating by using {keycloak}), or to use role mappings managed internally by {registry}.
To enable using roles assigned by {keycloak}, set the following environment variables:
| Environment variable | Description | Type | Default |
|---|---|---|---|
|
When set to |
String |
|
|
The name of the role that indicates a user is an admin. |
String |
|
|
The name of the role that indicates a user is a developer. |
String |
|
|
The name of the role that indicates a user has read-only access. |
String |
|
When {registry} is configured to use roles from {keycloak}, you must assign {registry} users to at least one of the following user roles in {keycloak}. However, you can configure different user role names by using the environment variables in Configuration for {registry} role-based authorization by using {keycloak}.
| Role name | Read artifacts | Write artifacts | Global rules | Description |
|---|---|---|---|---|
|
Yes |
Yes |
Yes |
Full access to all create, read, update, and delete operations. |
|
Yes |
Yes |
No |
Access to create, read, update, and delete operations, except configuring global rules and import/export. This role can configure artifact-specific rules only. |
|
Yes |
No |
No |
Access to read and search operations only. This role cannot configure any rules. |
To enable using roles managed internally by {registry}, set the following environment variable:
| Environment variable | Description | Type | Default |
|---|---|---|---|
|
When set to |
String |
|
When using internally managed role mappings, users can be assigned a role by using the /admin/roleMappings
endpoint in the {registry} REST API. For more details, see {registry-rest-api}.
Users can be granted exactly one role: ADMIN, DEVELOPER, or READ_ONLY. Only users with admin
privileges can grant access to other users.
Because there are no default admin users in {registry}, it is usually helpful to configure another way for users to be identified as admins. You can configure this admin-override feature by using the following environment variables:
| Environment variable | Description | Type | Default |
|---|---|---|---|
|
Enables the admin-override feature. |
String |
|
|
Where to look for admin-override information. Only |
String |
|
|
The type of information used to determine if a user is an admin. Values depend on the value of the FROM variable, for example, |
String |
|
|
The name of the role that indicates a user is an admin. |
String |
|
|
The name of a JWT token claim to use for determining admin-override. |
String |
|
|
The value that the JWT token claim indicated by the CLAIM variable must be for the user to be granted admin-override. |
String |
|
For example, you can use this admin-override feature to assign the sr-admin role to a single user
in {keycloak}, which grants that user the admin role. That user can then use the /admin/roleMappings
REST API (or associated UI) to grant roles to additional users (including additional admins).
You can set the following options to true to enable owner-only authorization for updates to artifacts or artifact groups in {registry}:
| Environment variable | Java system property | Type | Default value |
|---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
|
|
Boolean |
|
When owner-only authorization is enabled, only the user who created an artifact can modify or delete that artifact.
When owner-only authorization and group owner-only authorization are both enabled, only the user who created an artifact group has write access to that artifact group, for example, to add or remove artifacts in that group.
When the authenticated read access option is enabled, {registry} grants at least read-only access to requests from any authenticated user in the same organization, regardless of their user role.
To enable authenticated read access, you must first enable role-based authorization, and then ensure that the following options are set to true:
| Environment variable | Java system property | Type | Default value |
|---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
For more details, see {registry} role-based authorization.
In addition to the two main types of authorization (role-based and owner-based authorization), {registry} supports an anonymous read-only access option.
To allow anonymous users, such as REST API calls with no authentication credentials, to make read-only
calls to the REST API, set the following options to true:
| Environment variable | Java system property | Type | Default value |
|---|---|---|---|
|
|
Boolean |
|
|
|
Boolean |
|
-
For an example of how to set environment variables in your {registry} deployment on OpenShift, see [configuring-liveness-readiness-probes_{context}]
-
For details on configuring custom authentication for {registry}, the see Quarkus Open ID Connect documentation