> For the complete documentation index, see [llms.txt](https://audomsak.gitbook.io/red-hat-service-registry/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://audomsak.gitbook.io/red-hat-service-registry/security/configuring-service-registry/role-based-authorization.md). # Enable Role-Based Authorization ## Service Registry Configuration 1. Open OpenShift web console, switch to **Administrator** perspective, and make sure you've selected `service-registry` project (or the project you've install Service Registry). Select **Workloads -> Deployments** menu, then click on `service-registry-deployment` link. ![Service Registry Configuration](/files/tiRSTxYaf7l4F4MZLP18) 2. Go to **Environment** tab, click **Add more** to add a new environment variable. Enter `ROLE_BASED_AUTHZ_ENABLED` as a name and `true` as its value, then click **Save** button. ![Service Registry Configuration](/files/hjwJLGdClro6urWKwhu2) ## Configuring Keycloak client 1. Open SSO web console, select **Registry** realm (or the realm you used for Service Registry). Select **Clients** menu then click on the client you need to configure. ![Configuring Keycloak client](/files/9qjVvoOaRyNJbQHpPy3D) 2. Make sure the **Access Type** is `confidential` and **Service Accounts Enabled** option is `ON` ![Configuring Keycloak client](/files/QmDOfH3imbMZm99gYPpq) 3. Go to **Service Account Roles** tab and assign one of valid roles (`sr-admin`, `sr-developer`, `sr-readonly`) for the client. ![Configuring Keycloak client](/files/rQUUDoDxunxBKgsUXn8W) ## Testing 1. Use Postman to get a token from Red Hat SSO. Then try to call the API that's not allowed for the current role assigned to client, in this case, client with `sr-readonly` role is not allowed to create artefact. The API call should be failed as a screenshot below for example. ![Testing](/files/yM8YTGME3cvMNrXUEdrc) 2. For Kafka Java client application, Authorization error should be thrown when the client application is trying to perform any operation that's not allowed for it's role. ```log Exception in thread "main" io.apicurio.rest.client.auth.exception.ForbiddenException: Authorization error at io.apicurio.registry.rest.client.impl.ErrorHandler.handleErrorResponse(ErrorHandler.java:57) at io.apicurio.rest.client.handler.BodyHandler.lambda$toSupplierOfType$1(BodyHandler.java:46) at io.apicurio.rest.client.JdkHttpClient.sendRequest(JdkHttpClient.java:204) at io.apicurio.registry.rest.client.impl.RegistryClientImpl.createArtifact(RegistryClientImpl.java:263) at io.apicurio.registry.rest.client.RegistryClient.createArtifact(RegistryClient.java:134) at io.apicurio.registry.resolver.DefaultSchemaResolver.lambda$handleAutoCreateArtifact$2(DefaultSchemaResolver.java:236) at io.apicurio.registry.resolver.ERCache.lambda$getValue$0(ERCache.java:142) at io.apicurio.registry.resolver.ERCache.retry(ERCache.java:181) at io.apicurio.registry.resolver.ERCache.getValue(ERCache.java:141) at io.apicurio.registry.resolver.ERCache.getByContent(ERCache.java:121) at io.apicurio.registry.resolver.DefaultSchemaResolver.handleAutoCreateArtifact(DefaultSchemaResolver.java:234) at io.apicurio.registry.resolver.DefaultSchemaResolver.getSchemaFromRegistry(DefaultSchemaResolver.java:115) at io.apicurio.registry.resolver.DefaultSchemaResolver.resolveSchema(DefaultSchemaResolver.java:88) at io.apicurio.registry.serde.AbstractKafkaSerializer.serialize(AbstractKafkaSerializer.java:83) at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:925) at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:885) at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:773) ``` 3. You can optionally go to [jwt.io](https://jwt.io/) website and decode the token returned from SSO. You'll see the `roles` contains only the role you assgined for the client. ![Testing](/files/13vEqx0i1IRTnAj2UmBx) ## References * [Service Registry role-based authorization](https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3/html/installing_and_deploying_service_registry_on_openshift/securing-the-registry#registry-security-rbac-enabled) * [Managing Service Registry environment variables](https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3/html/installing_and_deploying_service_registry_on_openshift/managing-the-registry#manage-registry-environment-variables) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://audomsak.gitbook.io/red-hat-service-registry/security/configuring-service-registry/role-based-authorization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.