Cluster Configuration Properties

Enables or disables audit logging. When you set this to true, Redpanda checks for an existing topic named _redpanda.audit_log. If none is found, Redpanda automatically creates one for you.

List of user principals to exclude from auditing.

List of topics to exclude from auditing.

Defines the number of partitions used by a newly-created audit topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics.

Allow automatic topic creation. To prevent excess topics, this property is not supported on Redpanda Cloud BYOC and Dedicated clusters. You should explicitly manage topic creation for these Redpanda Cloud clusters.

If you produce to a topic that doesn’t exist, the topic will be created with defaults if this property is enabled.

The maximum size for a deployable WebAssembly binary that the broker can store.

Enables WebAssembly-powered data transforms directly in the broker. When data_transforms_enabled is set to true, Redpanda reserves memory for data transforms, even if no transform functions are currently deployed. This memory reservation ensures that adequate resources are available for transform functions when they are needed, but it also means that some memory is allocated regardless of usage.

Transform log lines truncate to this length. Truncation occurs after any character escaping.

The amount of memory to reserve per core for data transform (Wasm) virtual machines. Memory is reserved on boot. The maximum number of functions that can be deployed to a cluster is equal to data_transforms_per_core_memory_reservation / data_transforms_per_function_memory_limit.

The amount of memory to give an instance of a data transform (Wasm) virtual machine. The maximum number of functions that can be deployed to a cluster is equal to data_transforms_per_core_memory_reservation / data_transforms_per_function_memory_limit.

List of enabled consumer group metrics. Accepted values include:

Enable creating shadow links from this cluster to a remote source cluster for data replication.

A list of supported HTTP authentication mechanisms. Accepted Values: BASIC, OIDC.

Base path for the object-storage-backed Iceberg catalog. After Iceberg is enabled, do not change this value.

Iceberg catalog type that Redpanda will use to commit table metadata updates. Supported types: rest, object_storage. NOTE: You must set iceberg_rest_catalog_endpoint at the same time that you set iceberg_catalog_type to rest.

Default value for the redpanda.iceberg.partition.spec topic property that determines the partition spec for the Iceberg table corresponding to the topic.

Default value for the redpanda.iceberg.delete topic property that determines if the corresponding Iceberg table is deleted upon deleting the topic.

Whether to disable tagging of Iceberg snapshots. These tags are used to ensure that the snapshots that Redpanda writes are retained during snapshot removal, which in turn, helps Redpanda ensure exactly-once delivery of records. Disabling tags is therefore not recommended, but it may be useful if the Iceberg catalog does not support tags.

Enables the translation of topic data into Iceberg tables. Setting iceberg_enabled to true activates the feature at the cluster level, but each topic must also set the redpanda.iceberg.enabled topic-level property to true to use it. If iceberg_enabled is set to false, then the feature is disabled for all topics in the cluster, overriding any topic-level settings.

Default value for the redpanda.iceberg.invalid.record.action topic property.

The authentication mode for client requests made to the Iceberg catalog. Choose from: none, bearer, oauth2, and aws_sigv4. In bearer mode, the token specified in iceberg_rest_catalog_token is used unconditonally, and no attempts are made to refresh the token. In oauth2 mode, the credentials specified in iceberg_rest_catalog_client_id and iceberg_rest_catalog_client_secret are used to obtain a bearer token from the URI defined by iceberg_rest_catalog_oauth2_server_uri. In aws_sigv4 mode, the same AWS credentials used for cloud storage (see cloud_storage_region, cloud_storage_access_key, cloud_storage_secret_key, and cloud_storage_credentials_source) are used to sign requests to AWS Glue catalog with SigV4.

AWS access key for Iceberg REST catalog SigV4 authentication. If not set, falls back to cloud_storage_access_key when using aws_sigv4 authentication mode.

AWS region for Iceberg REST catalog SigV4 authentication. If not set, falls back to cloud_storage_region when using aws_sigv4 authentication mode.

AWS secret key for Iceberg REST catalog SigV4 authentication. If not set, falls back to cloud_storage_secret_key when using aws_sigv4 authentication mode.

Base URI for the Iceberg REST catalog. If unset, the REST catalog server determines the location. Some REST catalogs, like AWS Glue, require the client to set this. After Iceberg is enabled, do not change this value.

Iceberg REST catalog user ID. This ID is used to query the catalog API for the OAuth token. Required if catalog type is set to rest and iceberg_rest_catalog_authentication_mode is set to oauth2.

Secret used with the client ID to query the OAuth token endpoint for Iceberg REST catalog authentication. Required if catalog type is set to rest and iceberg_rest_catalog_authentication_mode is set to oauth2.

The contents of a certificate revocation list for iceberg_rest_catalog_trust. Takes precedence over iceberg_rest_catalog_crl_file.

URL of Iceberg REST catalog endpoint. NOTE: If you set iceberg_catalog_type to rest, you must also set this property at the same time.

The OAuth scope used to retrieve access tokens for Iceberg catalog authentication. Only meaningful when iceberg_rest_catalog_authentication_mode is set to oauth2

The OAuth URI used to retrieve access tokens for Iceberg catalog authentication. If left undefined, the deprecated Iceberg catalog endpoint /v1/oauth/tokens is used instead.

Maximum length of time that Redpanda waits for a response from the REST catalog before aborting the request

Token used to access the REST Iceberg catalog. If the token is present, Redpanda ignores credentials stored in the properties iceberg_rest_catalog_client_id and iceberg_rest_catalog_client_secret.

Required if iceberg_rest_catalog_authentication_mode is set to bearer.

The contents of a certificate chain to trust for the REST Iceberg catalog.

Warehouse to use for the Iceberg REST catalog. Redpanda queries the catalog to retrieve warehouse-specific configurations and automatically configures settings like the appropriate prefix. The prefix is appended to the catalog path (for example, /v1/{prefix}/namespaces).

Default value for the redpanda.iceberg.target.lag.ms topic property, which controls how often the data in an Iceberg table is refreshed with new data from the corresponding Redpanda topic. Redpanda attempts to commit all data produced to the topic within the lag target, subject to resource availability.

A replacement string for dots in topic names when creating Iceberg table names. Use this when your downstream systems don’t allow dots in table names. The replacement string cannot contain dots. Be careful to avoid table name collisions. Don’t change this value after creating any Iceberg topics with dots in their names.

A list of IP addresses for which Kafka client connection limits are overridden and don’t apply. For example, (['127.0.0.1:90', '50.20.1.1:40'])..

Maximum number of Kafka client connections per IP address, per broker. If null, the property is disabled.

Default lifetime of log segments. If null, the property is disabled, and no default lifetime is set. Any value under 60 seconds (60000 ms) is rejected. This property can also be set in the Kafka API using the Kafka-compatible alias, log.roll.ms.

The URL pointing to the well-known discovery endpoint for the OIDC provider.

Rule for mapping JWT payload claim to a Redpanda user principal.

A string representing the intended recipient of the token.

A list of supported SASL mechanisms. Accepted values: SCRAM, GSSAPI, OAUTHBEARER, PLAIN. Note that in order to enable PLAIN, you must also enable SCRAM.

Enables ACL-based authorization for Schema Registry requests. When true, Schema Registry uses ACL-based authorization instead of the default public/user/superuser authorization model.

The minimum TLS version that Redpanda clusters support. This property prevents client applications from negotiating a downgrade to the TLS version when they make a connection to a Redpanda cluster.