Page Comparison

Enabling Perimeter Security

Follow the instructions below for enabling perimeter security, either for CDAP Sandbox or Distributed CDAP, depending on your installation. Client authentication, once security has been enabled, is described in the Developer Manual section Client Authentication.

Enabling Perimeter Security (CDAP Sandbox)

To enable security in CDAP Sandbox, add these properties to cdap-site.xml:

Property	Value	Description
`security.enabled`	`true`	Enables authentication for CDAP. When set to `true` all requests to CDAP must provide a valid access token.
`security.auth.server.announce.address`		CDAP Authentication service announce address, in the format of host:port. This is the address that clients should use to communicate with the Authentication Server. Leave empty (the default value) to use the default address generated by the Authentication Server.
`security.auth.server.bind.address`	`0.0.0.0`	IP address that the CDAP Authentication Server should bind to (default value shown)
`security.auth.server.bind.port`	`10009`	CDAP Authentication service bind port (default value shown)

Client Authentication then needs to be configured, as described below under Configuring Authentication Mechanisms. With CDAP Sandbox, the simplest is Basic Authentication.

Enabling Perimeter Security (Distributed CDAP)

To enable security in Distributed CDAP, add these properties to cdap-site.xml:

Property	Value	Description
`security.enabled`	`true`	Enables authentication for CDAP. When set to `true` all requests to CDAP must provide a valid access token.
`security.auth.server.announce.address`		CDAP Authentication service announce address, in the format of host:port. This is the address that clients should use to communicate with the Authentication Server. Leave empty (the default value) to use the default address generated by the Authentication Server.
`security.auth.server.bind.address`	`0.0.0.0`	IP address that the CDAP Authentication Server should bind to (default value shown)
`security.auth.server.bind.port`	`10009`	CDAP Authentication service bind port (default value shown)

Configuring Kerberos (required)

To configure Kerberos authentication for various CDAP services, add these properties to cdap-site.xml:

Property	Value	Description
`kerberos.auth.enabled`	`security.enabled`	`true` to enable Kerberos authentication
`cdap.master.kerberos.keytab`	`<filepath>`	Kerberos keytab file path, either absolute or relative
`cdap.master.kerberos.principal`	`<principal>`	Kerberos principal associated with the keytab

Configuring ZooKeeper (required)

To configure ZooKeeper to enable SASL authentication, add the following to your zoo.cfg:

Code Block
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true

This will let ZooKeeper use the SASLAuthenticationProvider as an auth provider, and the jaasLoginRenew line will cause the ZooKeeper server to renew its Kerberos ticket once an hour.

Then, create a jaas.conf file for your ZooKeeper server:

The keytab file must be readable by the ZooKeeper server, and <your-zookeeper-principal> must correspond to the keytab file.

Finally, start ZooKeeper server with the following JVM option:

Code Block
-Djava.security.auth.login.config=/path/to/jaas.conf

Accessing CDAP Services with SSL

To enable running the CDAP Router with SSL, add this property to cdap-site.xml:

Property	Value	Description
`ssl.external.enabled`	`true`	`true` to enable SSL for external services

Default Ports

Without SSL, these properties have—unless set specifically—these default values:

Property	Default Value	Description
`router.bind.port`	`11015`	Port number that the CDAP Router should bind to for HTTP Connections
`security.auth.server.bind.port`	`10009`	Port number that the CDAP Authentication Server should bind to for HTTP Connections
`dashboard.bind.port`	`11011`	Port number that the CDAP UI should bind to for HTTP Connections

With SSL, these properties have—unless set specifically—these default values:

Property	Default Value	Description
`router.ssl.bind.port`	`10443`	Port number that the CDAP router should bind to for HTTPS Connections
`security.auth.server.ssl.bind.port`	`10010`	Port number that the CDAP Authentication Server should bind to for HTTPS Connections
`dashboard.ssl.bind.port`	`9443`	Port number that the CDAP UI should bind to for HTTPS Connections

Configuring SSL for the Authentication Server

To configure the granting of AccessTokens via SSL, add these properties to cdap-security.xml:

Property	Value	Description
`security.auth.server.ssl.keystore.path`	`<filepath>`	Keystore file location, either absolute or relative; the file should be owned and readable only by the CDAP user
`security.auth.server.ssl.keystore.password`	`<password>`	Keystore password
`security.auth.server.ssl.keystore.keypassword`	`<password>`	Keystore key password
`security.auth.server.ssl.keystore.type`	`JKS`	Keystore file type (default `JKS`)

To configure client certificate based authentication via 2-way SSL, add these properties to cdap-site.xml:

Property	Value	Description
`security.auth.server.ssl.truststore.path`	`<filepath>`	Truststore file location, either absolute or relative; the file should be owned and readable only by the CDAP user
`security.auth.server.ssl.truststore.password`	`<password>`	Keystore password
`security.auth.server.ssl.truststore.type`	`JKS`	Keystore file type (default `JKS`)

Configuring SSL for the Router

To configure SSL for the Router, add these properties to cdap-security.xml:

Property	Value	Description
`router.ssl.keystore.path`	`<filepath>`	Keystore file location, either absolute or relative; the file should be owned and readable only by the CDAP user
`router.ssl.keystore.password`	`<password>`	Keystore password
`router.ssl.keystore.keypassword`	`<password>`	Keystore key password
`router.ssl.keystore.type`	`JKS`	Keystore file type (default `JKS`)

Configuring SSL for the CDAP UI

To enable SSL for the CDAP UI, add these properties to cdap-security.xml:

Property	Value	Description
`dashboard.ssl.cert`	`<filepath>`	SSL cert file location, either absolute or relative; the file should be owned and readable only by the CDAP user
`dashboard.ssl.key`	`<filepath>`	SSL key file location, either absolute or relative; the file should be owned and readable only by the CDAP user

Note: To enable SSL for the CDAP UI and allow self-signed certificates, add this property to cdap-site.xml:

Property	Value	Description
`dashboard.ssl.disable.cert.check`	`true`	`true` to disable SSL certificate check from the CDAP UI

Enabling Access Logging

To enable access logging, add the following to logback.xml (typically under /etc/cdap/conf/)

Code Block

<appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
  <file>access.log</file>
  <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
    <fileNamePattern>access.log.%d{yyyy-MM-dd}</fileNamePattern>
    <maxHistory>30</maxHistory>
  </rollingPolicy>
  <encoder>
    <pattern>%msg%n</pattern>
  </encoder>
</appender>
<logger name="http-access" level="TRACE" additivity="false">
  <appender-ref ref="AUDIT" />
</logger>

<appender name="EXTERNAL_AUTH_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
  <file>external_auth_access.log</file>
  <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
    <fileNamePattern>external_auth_access.log.%d{yyyy-MM-dd}</fileNamePattern>
    <maxHistory>30</maxHistory>
  </rollingPolicy>
  <encoder>
    <pattern>%msg%n</pattern>
  </encoder>
</appender>
<logger name="external-auth-access" level="TRACE" additivity="false">
  <appender-ref ref="EXTERNAL_AUTH_AUDIT" />
</logger>

You may also configure the file being logged to by changing the path under <file>...</file>.

Configuring Authentication Mechanisms

...

Versions Compared

Old Version 4

New Version 5

Key