Support for registry basic auth

[iMajna]

At the moment I believe if reading code serves me still well, there is no support for an authentication/authz on operator level where users can with username and password authenticate via the Basic HTTP authentication mechanism.

From what I have seen API is naked at the moment, meaning, whoever passes any request to either create or delete schema it will be executed.

Is there possibility to maybe start working on this feature? Is there maybe a proposal page to write a proposal or?

Looking forward :)

[jonathansick]

That's a good idea. We don't use the schema registry's built-in basic auth at the moment. To date we've just been keeping the registry open to internal Kubernetes clients and using NetworkPolicy if need be; for external clients I think we've been using our regular ingress for its auth. That said, this could be useful if you'd like to contribute it.

I guess basically it'd need to fulfil the configurations outlined in https://docs.confluent.io/platform/current/security/basic-auth.html#schema-registry. It looks a little fiddly at first glance needing to manage a jaas_config.conf, but if you'd like to figure it out that'd be great!

[iMajna]

I'll try and make some time first to make a proposal before any implementation is being started. It is true that jaas_config.conf will be the biggest enigma because storing it as secret or configmap is not something you would like to do. Either way, same question would pop in case deploying vanilla Conf SR as well. :)