Setting up the secure store
...
File based provider is supported in the InMemory and Standalone modes while Hadoop KMS based provider is supported in the distributed mode.
<property>
<name>security.store.provider</name>
<value>kms</value>
<description>
Backend provider for the secure store
</description>
</property>
If the cluster is set to use kerberos for authentication, then using the Hadoop KMS based provider, then /etc/hadoop/kms-acls.xml needs to be updated to include users with appropriate permissions. For more details on how to edit that file please look at Hadoop Key Management Server.
If using the file based provider, the password to control access to the file needs to be set. To set the password please add the following property to your cdap-security.xml. The file needs to be created if not present.
If the JCEKS
<property>
<name>security.store.file.password</name>
<value>your password</value>
<description>
Password to access the key store
</description>
</property>
If the file based provider is selected, the path and the filename of the backing file can be configured using
<property>
<name>security.store.file.path</name>
<value>${local.data.dir}/store</value>
<description>
Location of the encrypted file which holds the secure store entries
</description>
</property>
and
<property>
<name>security.store.file.name</name>
<value>securestore</value>
<description>
Name of the secure store file
</description>
</property>
Accessing the store
There are two APIs that enable writing to and reading from the store.
...