CDAP provides several ways via Managed authentication mode to authenticate a client’s client's identity:
Basic Authentication
LDAP Authentication
JASPI Authentication
Custom Authentication
Basic Authentication
The simplest way to identity a client is to authenticate against a realm file. To configure basic authentication, add these properties to cdap-site.xml
:
...
In CDAP Sandbox, the realm file can be specified as conf/realmfile
and placed with the cdap-site.xml
file. Note that it is not advisable to use this method of authentication. In production, we recommend using any of the other methods described below.
LDAP Authentication
You can configure CDAP to authenticate against an LDAP instance by adding these properties to cdap-site.xml
:
...
Property | Default Value | Value | Description |
---|---|---|---|
|
|
| Set to |
|
|
| Set to |
LDAP with Active Directory
The following properties are listed as "optional" for LDAP but are required if you are using LDAP with Active Directory:
...
For Active Directory, the property security.authentication.handler.userBaseDn
should NOT include the group information. It should return the full list of users in the organization or domain. The group information should be included in the property security.authentication.handler.roleBaseDn
and will only allow access to these users.
JASPI Authentication
To authenticate a user using JASPI (Java Authentication Service Provider Interface), add these properties to cdap-site.xml
:
...
In addition, any properties with the prefix security.authentication.handler.
, such as security.authentication.handler.hostname
, will be provided to the handler. These properties, stripped of the prefix, will be used to instantiate the javax.security.auth.login.Configuration
used by the LoginModule
.
Custom Authentication
To use a Custom Authentication mechanism, set the security.authentication.handlerClassName
in cdap-site.xml
with the custom handler's classname. Any properties set in either cdap-site.xml
or cdap-security.xml
and that are prefixed with security.authentication.handler.
are available through a Map<String, String>
object and can be used to configure the handler.
To make your custom handler class available to the authentication service, copy your packaged jar file (and any additional dependency jars) to the security/lib/
directory within your CDAP installation (typically under /opt/cdap
).
Configuring Exemptions from Authentication
Sometimes, you need to exempt certain URLs from authentication. For example, you might want to secure your entire application, except that you want to allow management of artifacts by unauthenticated clients. For this, you can configure the CDAP Router to bypass the authentication for URLs that match a given regular expression, by adding this property in cdap-site.xml
:
...