Update auth docs (#5263)

* Update kafkasql security documentation

* Update auth docs

README.md

@@ -187,7 +187,7 @@ services:
 ## Security
 
 You can enable authentication for both the application REST APIs and the user interface using a server based
-on OpenID Connect (OIDC). The same server realm and users are federated across the user interface and the
+on OpenID Connect (OIDC). The same server and users are federated across the user interface and the
 REST APIs using Open ID Connect so that you only require one set of credentials.
 
 In order no enable this integration, you will need to set the following environment variables.
@@ -196,10 +196,9 @@ In order no enable this integration, you will need to set the following environm
 
 |Option|Env. variable|
 |---|---|
-|`AUTH_ENABLED`|Set to `true` to enable (default is `false`)|
-|`KEYCLOAK_URL`|OIDC Server URL|
-|`KEYCLOAK_REALM`|OIDC Security realm|
-|`KEYCLOAK_API_CLIENT_ID`|The client for the API|
+|`QUARKUS_OIDC_TENANT_ENABLED`|Set to `true` to enable (default is `false`)|
+|`QUARKUS_OIDC_AUTH_SERVER_URL`|OIDC Server URL|
+|`QUARKUS_OIDC_CLIENT_ID`|The client for the API|
 
 ### User Interface Environment Variables
 
@@ -210,8 +209,7 @@ In order no enable this integration, you will need to set the following environm
 |`APICURIO_AUTH_REDIRECT_URL`|OIDC redirect URL|
 |`APICURIO_AUTH_CLIENT_ID`|The client for the UI|
 
-Note that you will need to have everything configured in your OIDC provider, before starting the application
-(the realm and the two clients).
+Note that you will need to have everything configured in your OIDC provider, before starting the application.
 
 Please note that Registry supports a wide range of authentication and authorization options.
 These options are too extensive to document in this README.  Consider the above to be just a starting point.

docs/modules/ROOT/partials/getting-started/proc-configuring-kafka-oauth.adoc

@@ -25,16 +25,16 @@ When you set these environment variables, the Kafka producer and consumer applic
 |Environment variable
 |Description
 |Default value
-| `ENABLE_KAFKA_SASL`
+| `APICURIO_KAFKASQL_SECURITY_SASL_ENABLED`
 | Enables SASL OAuth authentication for {registry} storage in Kafka. You must set this variable to `true` for the other variables to have effect.
 | `false`
-| `CLIENT_ID`
+| `APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_IDapicurio.kafkasql.security.sasl.client-id`
 | The client ID used to authenticate to Kafka. 
 | `-`
-| `CLIENT_SECRET`
+| `APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET`
 | The client secret used to authenticate to Kafka. 
 | `-`
-| `OAUTH_TOKEN_ENDPOINT_URI`
+| `APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT`
 | The URL of the OAuth identity server.
 | `\http://localhost:8090`
 |===

docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security-azure.adoc

@@ -45,13 +45,13 @@ IMPORTANT: You must register your {registry} application host as a *Redirect URI
 |Environment variable
 |Description
 |Setting
-|`KEYCLOAK_API_CLIENT_ID`
+|`QUARKUS_OIDC_CLIENT_ID`
 |The client application ID for the {registry} REST API
 |Your Azure AD Application (client) ID obtained in step 5. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
 |`APICURIO_OIDC_UI_CLIENT_ID`
 |The client application ID for the {registry} web console.
 |Your Azure AD Application (client) ID obtained in step 5. For example: `123456a7-b8c9-012d-e3f4-5fg67h8i901`
-|`APICURIO_AUTH_URL_CONFIGURED`
+|`QUARKUS_OIDC_AUTH_SERVER_URL`
 |The URL for authentication in Azure AD.
 |Your Azure AD Application (tenant) ID obtained in step 6. For example: `\https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0`.
 |===
@@ -64,13 +64,13 @@ IMPORTANT: You must register your {registry} application host as a *Redirect URI
 |Environment variable
 |Description
 |Setting
-|`APICURIO_AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |Enables authentication for {registry}.
 |`true`
 |`APICURIO_UI_AUTH_TYPE`
 |The {registry} authentication type.
 |`oidc`
-|`CORS_ALLOWED_ORIGINS`
+|`QUARKUS_HTTP_CORS_ORIGINS`
 |The host for your {registry} deployment for cross-origin resource sharing (CORS).
 |For example: `\https://test-registry.com`
 |`APICURIO_OIDC_UI_REDIRECT_URL`

docs/modules/ROOT/partials/getting-started/proc-configuring-registry-security-keycloak.adoc

@@ -69,23 +69,19 @@ You can use the defaults for the other client settings.
 |Description
 |Type
 |Default
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |Enables authentication for {registry}. When set to `true`, the environment variables that follow are required for authentication using {keycloak}.
 |String
 |`false`
-|`KEYCLOAK_URL`
+|`QUARKUS_OIDC_AUTH_SERVER_URL`
 |The URL of the {keycloak} authentication server. For example, `\http://localhost:8080`.
 |String
 |-
-|`KEYCLOAK_REALM`
-|The {keycloak} realm for authentication. For example, `registry.`
-|String
-|-
-|`KEYCLOAK_API_CLIENT_ID`
+|`QUARKUS_OIDC_CLIENT_ID`
 |The client ID for the {registry} REST API.
 |String
 |`registry-api`
-|`KEYCLOAK_UI_CLIENT_ID`
+|`APICURIO_UI_AUTH_OIDC_CLIENT_ID`
 |The client ID for the {registry} web console.
 |String
 |`apicurio-registry`

docs/modules/ROOT/partials/getting-started/proc-registry-serdes-register.adoc

@@ -90,26 +90,3 @@ endif::[]
 <3> Specify the {registry} artifact group ID.
 <4> You can upload multiple artifacts using the specified group ID, artifact ID, and location.
 
-[discrete]
-== Configuration using a producer client example
-
-[source,java,subs="+quotes,attributes"]
-----
-String registryUrl_node1 = PropertiesUtil.property(clientProperties, "apicurio.url.node1",
-    "https://my-cluster-service-registry-myproject.example.com/apis/registry/v3"); <1>
-try (RegistryService service = RegistryClient.create(registryUrl_node1)) {
-    String artifactId = ApplicationImpl.INPUT_TOPIC + "-value";
-    try {
-        service.getArtifactMetaData(artifactId); <2>
-    } catch (WebApplicationException e) {
-        CompletionStage <ArtifactMetaData> csa = service.createArtifact(
-            "AVRO",
-            artifactId,
-            new ByteArrayInputStream(LogInput.SCHEMA$.toString().getBytes())
-        );
-        csa.toCompletableFuture().get();
-    }
-}
-----
-<1> You can register properties against more than one URL node.
-<2> Check to see if the schema already exists based on the artifact ID.

docs/modules/ROOT/partials/getting-started/ref-registry-security-configuration.adoc

@@ -12,7 +12,7 @@
 * Role-based authorization for default admin, write, and read-only user roles. 
 * Content-based authorization for schema or API artifacts, where only the owner of the artifacts or artifact group can update or delete artifacts. 
 
-IMPORTANT: All authentication and authorization options in {registry} are disabled by default. Before enabling any of these options, you must first set the `AUTH_ENABLED` option to `true`. 
+IMPORTANT: All authentication and authorization options in {registry} are disabled by default. Before enabling any of these options, you must first set the `QUARKUS_OIDC_TENANT_ENABLED` option to `true`.
 
 This chapter provides details on the following configuration options: 
 
@@ -36,23 +36,23 @@ You can set the following environment variables to configure authentication for
 |Description
 |Type
 |Default
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |Enables authentication for {registry}. When set to `true`, the environment variables that follow are required for authentication using {keycloak}.
 |String
 |`false`
-|`KEYCLOAK_URL`
+|`QUARKUS_OIDC_AUTH_SERVER_URL`
 |The URL of the {keycloak} authentication server. For example, `\http://localhost:8080`.
 |String
 |-
 |`KEYCLOAK_REALM`
 |The {keycloak} realm for authentication. For example, `registry.`
 |String
 |-
-|`KEYCLOAK_API_CLIENT_ID`
+|`QUARKUS_OIDC_CLIENT_ID`
 |The client ID for the {registry} REST API.
 |String
 |`registry-api`
-|`KEYCLOAK_UI_CLIENT_ID`
+|`APICURIO_UI_AUTH_OIDC_CLIENT_ID`
 |The client ID for the {registry} web console.
 |String
 |`apicurio-registry`
@@ -71,11 +71,11 @@ By default, {registry} supports authentication by using OpenID Connect. Users or
 |Java system property
 |Type
 |Default value
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |`registry.auth.enabled`
 |Boolean
 |`false`
-|`CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED`
+|`CLIENT_CREDENTIALS_BASIC_QUARKUS_OIDC_TENANT_ENABLED`
 |`registry.auth.basic-auth-client-credentials.enabled`
 |Boolean
 |`false`
@@ -115,7 +115,7 @@ You can set the following options to `true` to enable role-based authorization i
 |Java system property
 |Type
 |Default value
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |`registry.auth.enabled`
 |Boolean
 |`false`
@@ -267,7 +267,7 @@ You can set the following options to `true` to enable owner-only authorization f
 |Type
 |Default value
 
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |`registry.auth.enabled`
 |Boolean
 |`false`
@@ -302,7 +302,7 @@ To enable authenticated read access, you must first enable role-based authorizat
 |Java system property
 |Type
 |Default value
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |`registry.auth.enabled`
 |Boolean
 |`false`
@@ -331,7 +331,7 @@ calls to the REST API, set the following options to `true`:
 |Java system property
 |Type
 |Default value
-|`AUTH_ENABLED`
+|`QUARKUS_OIDC_TENANT_ENABLED`
 |`registry.auth.enabled`
 |Boolean
 |`false`

docs/modules/ROOT/partials/getting-started/ref-registry-serdes-config-props.adoc

@@ -59,27 +59,27 @@ The `DefaultSchemaResolver` provides the following properties to configure acces
 |`String`
 |None
 |`AUTH_TOKEN_ENDPOINT`
-|`apicurio.auth.service.token.endpoint`
+|`apicurio.registry.auth.service.token.endpoint`
 |Used by serializers and deserializers. URL of the token endpoint.
 |`String`
 |None
 |`AUTH_CLIENT_ID`
-|`apicurio.auth.client.id`
+|`apicurio.registry.auth.client.id`
 |Used by serializers and deserializers. Client ID to access the authentication service. Required when accessing a secure registry using the OAuth client credentials flow.
 |`String`
 |None
 |`AUTH_CLIENT_SECRET`
-|`apicurio.auth.client.secret`
+|`apicurio.registry.auth.client.secret`
 |Used by serializers and deserializers. Client secret to access the authentication service. Required when accessing a secure registry using the OAuth client credentials flow.
 |`String`
 |None
 |`AUTH_USERNAME`
-|`apicurio.auth.username`
+|`apicurio.registry.auth.username`
 |Used by serializers and deserializers. Username to access the registry. Required when accessing a secure registry using HTTP basic authentication.
 |`String`
 |None
 |`AUTH_PASSWORD`
-|`apicurio.auth.password`
+|`apicurio.registy.auth.password`
 |Used by serializers and deserializers. Password to access the registry. Required when accessing a secure registry using HTTP basic authentication.
 |`String`
 |None

examples/docker-compose/src/main/resources/compose-base-mssql.yml

@@ -7,12 +7,14 @@ services:
       ACCEPT_EULA: Y
       MSSQL_SA_PASSWORD: "Your_password123"
   app:
-    image: apicurio/apicurio-registry-mssql:latest
+    image: apicurio/apicurio-registry:latest-release
     ports:
       - 8080:8080
     environment:
-      REGISTRY_DATASOURCE_URL: 'jdbc:sqlserver://mssql;'
-      REGISTRY_DATASOURCE_USERNAME: sa
-      REGISTRY_DATASOURCE_PASSWORD: "Your_password123"
+      APICURIO_DATASOURCE_URL: 'jdbc:sqlserver://mssql;'
+      APICURIO_DATASOURCE_USERNAME: sa
+      APICURIO_DATASOURCE_PASSWORD: "Your_password123"
+      APICURIO_STORAGE_KIND: "sql"
+      APICURIO_STORAGE_SQL_KIND: "mssql"
     depends_on:
       - mssql

examples/docker-compose/src/main/resources/compose-base-sql.yml

@@ -7,12 +7,14 @@ services:
       POSTGRES_USER: apicurio-registry
       POSTGRES_PASSWORD: password
   app:
-    image: apicurio/apicurio-registry-sql:latest
+    image: apicurio/apicurio-registry:latest-release
     ports:
       - 8080:8080
     environment:
-      REGISTRY_DATASOURCE_URL: 'jdbc:postgresql://postgres/apicurio-registry'
-      REGISTRY_DATASOURCE_USERNAME: apicurio-registry
-      REGISTRY_DATASOURCE_PASSWORD: password
+      APICURIO_DATASOURCE_URL: 'jdbc:postgresql://postgres/apicurio-registry'
+      APICURIO_DATASOURCE_USERNAME: apicurio-registry
+      APICURIO_DATASOURCE_PASSWORD: password
+      APICURIO_STORAGE_KIND: "sql"
+      APICURIO_STORAGE_SQL_KIND: "postgresql"
     depends_on:
       - postgres

examples/docker-compose/src/main/resources/docker-compose.apicurio.yml

@@ -30,25 +30,21 @@ services:
       POSTGRES_PASSWORD: password
 
   backend:
-    image: quay.io/apicurio/apicurio-registry@sha256:3cf8b1a8b67ef1efff872556f642751f432eec8d1b704d45adececeff86a3222
+    image: quay.io/apicurio/apicurio-registry:latest-release
     environment:
-      REGISTRY_DATASOURCE_URL: 'jdbc:postgresql://database-apicurio:5432/apicurio-registry'
-      REGISTRY_DATASOURCE_USERNAME: apicurio-registry
-      REGISTRY_DATASOURCE_PASSWORD: password
-      REGISTRY_STORAGE_KIND: "sql"
-      REGISTRY_STORAGE_DB_KIND: "postgresql"
-      AUTH_ENABLED: "true"
-      KEYCLOAK_REALM: registry
+      APICURIO_DATASOURCE_URL: 'jdbc:postgresql://database-apicurio:5432/apicurio-registry'
+      APICURIO_DATASOURCE_USERNAME: apicurio-registry
+      APICURIO_DATASOURCE_PASSWORD: password
+      APICURIO_STORAGE_KIND: "sql"
+      APICURIO_STORAGE_SQL_KIND: "postgresql"
+      QUARKUS_OIDC_TENANT_ENABLED: "true"
       QUARKUS_HTTP_PORT: 8081
-      KEYCLOAK_URL: "http://localhost:8080"
       LOG_LEVEL: "DEBUG"
-      REGISTRY_UI_CONFIG_AUTH_KEYCLOAK_URL: "http://localhost:8080"
       QUARKUS_OIDC_AUTH_SERVER_URL: "http://keycloak-server:8080/realms/registry"
-      TOKEN_ENDPOINT: "http://keycloak-server:8080/realms/registry/protocol/openid-connect/token"
-      KEYCLOAK_API_CLIENT_ID: registry-api
-      REGISTRY_UI_AUTH_OIDC_CLIENTID: apicurio-registry
+      QUARKUS_OIDC_CLIENT_ID: registry-api
+      APICURIO_UI_AUTH_OIDC_CLIENT_ID: apicurio-registry
       QUARKUS_OIDC_TLS_VERIFICATION: "none"
-      CORS_ALLOWED_ORIGINS: '*'
+      QUARKUS_HTTP_CORS_ORIGINS: '*'
       QUARKUS_PROFILE: "prod"
     ports:
       - 8081:8081
@@ -57,7 +53,7 @@ services:
       - keycloak-server
 
   ui:
-    image: quay.io/apicurio/apicurio-registry-ui@sha256:ec60369e36cafd68e7af6f87df397c54975bbb71530744810822cf4aab2159d9
+    image: quay.io/apicurio/apicurio-registry-ui:latest-release
     environment:
       REGISTRY_API_URL: "http://localhost:8081/apis/registry/v3"
     ports:

examples/event-driven-architecture/docker-compose.yml

@@ -68,9 +68,9 @@ services:
     ports:
       - "8080:8080"
     environment:
-      REGISTRY_DATASOURCE_URL: "jdbc:postgresql://apicurio-db/apicuriodb"
-      REGISTRY_DATASOURCE_USERNAME: "postgres"
-      REGISTRY_DATASOURCE_PASSWORD: "postgres"
+      APICURIO_DATASOURCE_URL: "jdbc:postgresql://apicurio-db/apicuriodb"
+      APICURIO_DATASOURCE_USERNAME: "postgres"
+      APICURIO_DATASOURCE_PASSWORD: "postgres"
       SCHEMA_REGISTRY_HOST_NAME: schema-registry
       SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: divolte-kafka:2181
 

examples/openshift-template/apicurio-registry-template-sql.yml

@@ -82,12 +82,12 @@ objects:
           env:
           - name: QUARKUS_PROFILE
             value: prod
-          - name: REGISTRY_DATASOURCE_URL
-            value: ${REGISTRY_DATASOURCE_URL}
-          - name: REGISTRY_DATASOURCE_USERNAME
-            value: ${REGISTRY_DATASOURCE_USERNAME}
-          - name: REGISTRY_DATASOURCE_PASSWORD
-            value: ${REGISTRY_DATASOURCE_PASSWORD}
+          - name: APICURIO_DATASOURCE_URL
+            value: ${APICURIO_DATASOURCE_URL}
+          - name: APICURIO_DATASOURCE_USERNAME
+            value: ${APICURIO_DATASOURCE_USERNAME}
+          - name: APICURIO_DATASOURCE_PASSWORD
+            value: ${APICURIO_DATASOURCE_PASSWORD}
           resources:
             limits:
               cpu: ${REGISTRY_CPU_LIMIT}
@@ -176,15 +176,15 @@ parameters:
   description: Registry Pods CPU Requests
   value: 100m
   required: true
-- name: REGISTRY_DATASOURCE_URL
+- name: APICURIO_DATASOURCE_URL
   displayName: Datasource URL
   description: Postgresql Datasource URL
   required: true
-- name: REGISTRY_DATASOURCE_USERNAME
+- name: APICURIO_DATASOURCE_USERNAME
   displayName: Datasource Username
   description: Datasource Username
   required: false
-- name: REGISTRY_DATASOURCE_PASSWORD
+- name: APICURIO_DATASOURCE_PASSWORD
   displayName: Datasource Password
   description: Datasource Password
   required: false