Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The proxy may propagate two values, the User Identity and the User Credentials, to CDAP. CDAP creates a corresponding Principal object with the name directly set as the User Identity and the credentials set as the credentials. The Principal is then used to pass this information to the user-provided authorization extension to perform authorization enforcement via the Authorizer and AuthorizationEnforcer SPIs.

The User Identity is passed from the proxy to CDAP via a configurable header, whereas the User Credentials are passed to CDAP via the Authorization header. The User Identity is required for audit logging purposes and, as such, must be included on every request, whereas the User Credentials are optional.

...

These are the list of additional configurations specified in cdap-site.xml that will be used while setting up for proxy mode:

  • security.authentication.mode

  • security.authentication.proxy.user.identity.header

  • security.authentication.propagate.user.credentials

For more information about these parameters, see Security parameters (cdap-site.xml and cdap-default.xml).