Conversation
Signed-off-by: AvivGuiser <avivguiser@gmail.com>
Signed-off-by: AvivGuiser <avivguiser@gmail.com>
📝 WalkthroughWalkthroughAdded documentation for Kafka SchemaRegistry OAuth client-credentials settings: token endpoint URL, client ID, client secret, scopes, token caching toggle, proactive token refresh buffer, and max retries for 401 responses. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@configuration/misc-configuration-properties.md`:
- Around line 37-43: Add OAuth-based Schema Registry options to the YAML docs by
extending the existing schemaRegistryAuth section to include an oauth block with
the keys tokenUrl, clientId, clientSecret, scopes, tokenCacheEnabled,
tokenRefreshBuffer and maxRetries; place this YAML example alongside the
existing username/password example in the schema-registry-auth/docs block (the
same area that currently documents basic auth) and ensure the property names and
defaults match the environment variables
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_* (tokenCacheEnabled default true,
tokenRefreshBuffer default 60s, maxRetries default 1) so users can see both
basic and oauth configuration formats.
- Around line 37-43: Remove the seven SchemaRegistry OAuth configuration entries
(KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENURL,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTID,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTSECRET,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_SCOPES,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENCACHEENABLED,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENREFRESHBUFFER,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_MAXRETRIES) from the
configuration/misc-configuration-properties.md documentation since kafka-ui only
supports Basic Authentication for SchemaRegistry; if you prefer to keep OAuth
documented, instead implement the corresponding support in the codebase and
update relevant functions/classes that parse cluster schema registry auth (e.g.,
the config parsing/validation that handles KAFKA_CLUSTERS_*_SCHEMAREGISTRYAUTH)
before re-adding the entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: eaa7c5f6-2b97-4b20-8f7d-e60ebf6d2882
📒 Files selected for processing (1)
configuration/misc-configuration-properties.md
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENURL` | Token URL for SchemaRegistry's OAuth client-credentials authentication | | ||
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTID` | Client ID for SchemaRegistry's OAuth authentication | | ||
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTSECRET` | Client secret for SchemaRegistry's OAuth authentication | | ||
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_SCOPES` | Comma-separated list of OAuth scopes to request for SchemaRegistry authentication | | ||
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENCACHEENABLED` | Enable caching of OAuth tokens for SchemaRegistry. Default: `true` | | ||
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENREFRESHBUFFER` | Duration before token expiry to proactively refresh the token (e.g. `60s`, `360s`). Default: `60s` | | ||
| | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_MAXRETRIES` | Max number of retries on 401 Unauthorized responses from SchemaRegistry. Default: `1` | |
There was a problem hiding this comment.
Update configuration-file.md to document OAuth properties for consistency.
These OAuth properties are documented here as environment variables, but configuration-file.md currently only documents basic authentication (username/password) for Schema Registry and does not include OAuth configuration options. This creates an inconsistency where users consulting the YAML configuration guide won't discover the OAuth authentication capability.
Consider adding equivalent YAML configuration examples to configuration-file.md to maintain consistency across documentation formats. For example:
schemaRegistryAuth:
oauth:
tokenUrl: https://auth.example.com/oauth/token
clientId: your-client-id
clientSecret: your-client-secret
scopes: schema-registry-read,schema-registry-write
tokenCacheEnabled: true
tokenRefreshBuffer: 60s
maxRetries: 1As per relevant code snippet from configuration-file.md:35-44, which shows schema-registry-auth currently only documents username/password authentication.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@configuration/misc-configuration-properties.md` around lines 37 - 43, Add
OAuth-based Schema Registry options to the YAML docs by extending the existing
schemaRegistryAuth section to include an oauth block with the keys tokenUrl,
clientId, clientSecret, scopes, tokenCacheEnabled, tokenRefreshBuffer and
maxRetries; place this YAML example alongside the existing username/password
example in the schema-registry-auth/docs block (the same area that currently
documents basic auth) and ensure the property names and defaults match the
environment variables KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_*
(tokenCacheEnabled default true, tokenRefreshBuffer default 60s, maxRetries
default 1) so users can see both basic and oauth configuration formats.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify OAuth property names exist in the kafka-ui codebase.
# Expected: Find references to these property bindings in configuration or auth code.
# Search for OAuth-related SchemaRegistry auth properties
rg -n -i -C3 --type=java --type=yaml --type=properties \
-e 'schemaRegistryAuth.*oauth' \
-e 'SCHEMAREGISTRYAUTH.*OAUTH' \
-e 'tokenUrl|clientId|clientSecret' \
-e 'tokenCacheEnabled|tokenRefreshBuffer|maxRetries'Repository: kafbat/ui-docs
Length of output: 92
🌐 Web query:
site:github.com/kafbat/kafka-ui schemaRegistryAuth oauth configuration properties
💡 Result:
In kafbat/kafka-ui, schemaRegistryAuth is Basic Auth only (username/password) — there are no documented schemaRegistryAuth.oauth.* (or similar) configuration properties. Example cluster YAML uses: schemaRegistryAuth.username / schemaRegistryAuth.password. [1]
On OAuth for Schema Registry: in a Kafbat UI discussion, the maintainer explicitly says they doubt Schema Registry supports OAuth (in the context of Kafbat UI Schema Registry integration), i.e., Kafbat UI doesn’t expose an OAuth-specific schemaRegistryAuth config. [2] One user mentions using Schema Registry client property bearer.auth.credentials.source: "SASL_OAUTHBEARER_INHERIT" as a workaround (inheriting auth from the Kafka client), but that’s not presented as an official schemaRegistryAuth OAuth configuration block. [2]
Sources
[1] provectus/kafka-ui#3791
[2] kafbat/kafka-ui#433
🏁 Script executed:
cd / && find . -type f -name "*.md" 2>/dev/null | grep -i config | head -20Repository: kafbat/ui-docs
Length of output: 1435
🏁 Script executed:
head -50 configuration/misc-configuration-properties.mdRepository: kafbat/ui-docs
Length of output: 7345
🏁 Script executed:
grep -r "SCHEMAREGISTRYAUTH" configuration/ 2>/dev/null | head -20Repository: kafbat/ui-docs
Length of output: 2383
Remove the documented SchemaRegistry OAuth properties — they do not exist in the kafka-ui implementation.
These seven OAuth configuration properties (lines 37–43) document features that are not supported in kafka-ui. Verification confirms that kafka-ui supports only Basic Authentication (username/password) for SchemaRegistry connections. The project maintainers have explicitly stated they doubt Schema Registry supports OAuth in this context. Documenting non-existent configuration properties will lead to user confusion and configuration errors.
Either remove these properties from the documentation, or ensure the corresponding features are implemented in the kafka-ui codebase before documenting them.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@configuration/misc-configuration-properties.md` around lines 37 - 43, Remove
the seven SchemaRegistry OAuth configuration entries
(KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENURL,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTID,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTSECRET,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_SCOPES,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENCACHEENABLED,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENREFRESHBUFFER,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_MAXRETRIES) from the
configuration/misc-configuration-properties.md documentation since kafka-ui only
supports Basic Authentication for SchemaRegistry; if you prefer to keep OAuth
documented, instead implement the corresponding support in the codebase and
update relevant functions/classes that parse cluster schema registry auth (e.g.,
the config parsing/validation that handles KAFKA_CLUSTERS_*_SCHEMAREGISTRYAUTH)
before re-adding the entries.
Signed-off-by: AvivGuiser <avivguiser@gmail.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
configuration/configuration-file.md (1)
40-48: State that Basic and OAuth examples are alternative auth modesLines 40-48 currently present Basic and OAuth settings together, which can be read as “configure both.” If these are alternatives, add a brief note to prevent misconfiguration.
Suggested doc adjustment
- # Basic authentication + # Basic authentication (use this OR oauth below) username: schema registry username password: schema registry password - # OAuth client-credentials authentication + # OAuth client-credentials authentication (alternative to username/password) oauth:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@configuration/configuration-file.md` around lines 40 - 48, Clarify that Basic and OAuth examples are mutually exclusive by adding a short note near the authentication examples: update the "Basic authentication" and "OAuth client-credentials authentication" sections to state these are alternative auth modes (choose one) and not to be configured together, and ensure the note references the username/password fields and the oauth.tokenUrl/clientId/clientSecret keys so readers know which blocks are alternatives.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@configuration/configuration-file.md`:
- Line 51: Update the documentation for the maxRetries property to explicitly
state that retries are only triggered for 401 Unauthorized responses; edit the
line documenting maxRetries so it mirrors the behavior described in
misc-configuration-properties (i.e., "maxRetries: 1 # default: 1 — retries are
attempted only on 401 Unauthorized responses") and ensure the term maxRetries is
used exactly so readers can match it to the configuration property.
---
Nitpick comments:
In `@configuration/configuration-file.md`:
- Around line 40-48: Clarify that Basic and OAuth examples are mutually
exclusive by adding a short note near the authentication examples: update the
"Basic authentication" and "OAuth client-credentials authentication" sections to
state these are alternative auth modes (choose one) and not to be configured
together, and ensure the note references the username/password fields and the
oauth.tokenUrl/clientId/clientSecret keys so readers know which blocks are
alternatives.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 28bbef80-81fe-429b-9aca-aefa692ff34d
📒 Files selected for processing (1)
configuration/configuration-file.md
| scopes: schema-registry:read,schema-registry:write | ||
| tokenCacheEnabled: true # default: true | ||
| tokenRefreshBuffer: 60s # default: 60s | ||
| maxRetries: 1 # default: 1 |
There was a problem hiding this comment.
Clarify the retry condition for maxRetries to match reference docs
Line 51 documents the default, but it omits that retries are for 401 Unauthorized responses. This is explicitly documented in configuration/misc-configuration-properties.md:23-32, so this page should mirror that behavior to avoid ambiguity.
Suggested doc adjustment
- maxRetries: 1 # default: 1
+ maxRetries: 1 # default: 1 (retries on 401 Unauthorized)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| maxRetries: 1 # default: 1 | |
| maxRetries: 1 # default: 1 (retries on 401 Unauthorized) |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@configuration/configuration-file.md` at line 51, Update the documentation for
the maxRetries property to explicitly state that retries are only triggered for
401 Unauthorized responses; edit the line documenting maxRetries so it mirrors
the behavior described in misc-configuration-properties (i.e., "maxRetries: 1 #
default: 1 — retries are attempted only on 401 Unauthorized responses") and
ensure the term maxRetries is used exactly so readers can match it to the
configuration property.
|
@KyriosGN0 can you take a look at the remaining comments? |
2 participants
add Configuration flags for schema registry oauth2
relates to kafbat/kafka-ui#1645 and kafbat/kafka-ui#1575
Summary by CodeRabbit