Enabling Perimeter Security
Follow the instructions below for enabling perimeter security, either for CDAP Sandbox or Distributed CDAP, depending on your installation. Client authentication, once security has been enabled, is described in the Developer Manual section Client Authentication.
Enabling Perimeter Security (CDAP Sandbox)
To enable security in CDAP Sandbox, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Enables authentication for CDAP. When set to |
|
| CDAP Authentication service announce address, in the format of host:port. This is the address that clients should use to communicate with the Authentication Server. Leave empty (the default value) to use the default address generated by the Authentication Server. |
|
| IP address that the CDAP Authentication Server should bind to (default value shown) |
|
| CDAP Authentication service bind port (default value shown) |
Client Authentication then needs to be configured, as described below under Configuring Authentication Mechanisms. With CDAP Sandbox, the simplest is Basic Authentication.
Enabling Perimeter Security (Distributed CDAP)
To enable security in Distributed CDAP, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Enables authentication for CDAP. When set to |
|
| CDAP Authentication service announce address, in the format of host:port. This is the address that clients should use to communicate with the Authentication Server. Leave empty (the default value) to use the default address generated by the Authentication Server. |
|
| IP address that the CDAP Authentication Server should bind to (default value shown) |
|
| CDAP Authentication service bind port (default value shown) |
Configuring Kerberos (required)
To configure Kerberos authentication for various CDAP services, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
|
|
|
| Kerberos keytab file path, either absolute or relative |
|
| Kerberos principal associated with the keytab |
Configuring ZooKeeper (required)
To configure ZooKeeper to enable SASL authentication, add the following to your zoo.cfg
:
Code Block |
---|
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true |
This will let ZooKeeper use the SASLAuthenticationProvider
as an auth provider, and the jaasLoginRenew
line will cause the ZooKeeper server to renew its Kerberos ticket once an hour.
Then, create a jaas.conf
file for your ZooKeeper server:
The keytab file must be readable by the ZooKeeper server, and <your-zookeeper-principal>
must correspond to the keytab file.
Finally, start ZooKeeper server with the following JVM option:
Code Block |
---|
-Djava.security.auth.login.config=/path/to/jaas.conf |
Accessing CDAP Services with SSL
To enable running the CDAP Router with SSL, add this property to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
|
|
Default Ports
Without SSL, these properties have—unless set specifically—these default values:
Property | Default Value | Description |
---|---|---|
|
| Port number that the CDAP Router should bind to for HTTP Connections |
|
| Port number that the CDAP Authentication Server should bind to for HTTP Connections |
|
| Port number that the CDAP UI should bind to for HTTP Connections |
With SSL, these properties have—unless set specifically—these default values:
Property | Default Value | Description |
---|---|---|
|
| Port number that the CDAP router should bind to for HTTPS Connections |
|
| Port number that the CDAP Authentication Server should bind to for HTTPS Connections |
|
| Port number that the CDAP UI should bind to for HTTPS Connections |
Configuring SSL for the Authentication Server
To configure the granting of AccessToken
s via SSL, add these properties to cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| Keystore file location, either absolute or relative; the file should be owned and readable only by the CDAP user |
|
| Keystore password |
|
| Keystore key password |
|
| Keystore file type (default |
To configure client certificate based authentication via 2-way SSL, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Truststore file location, either absolute or relative; the file should be owned and readable only by the CDAP user |
|
| Keystore password |
|
| Keystore file type (default |
Configuring SSL for the Router
To configure SSL for the Router, add these properties to cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| Keystore file location, either absolute or relative; the file should be owned and readable only by the CDAP user |
|
| Keystore password |
|
| Keystore key password |
|
| Keystore file type (default |
Configuring SSL for the CDAP UI
To enable SSL for the CDAP UI, add these properties to cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| SSL cert file location, either absolute or relative; the file should be owned and readable only by the CDAP user |
|
| SSL key file location, either absolute or relative; the file should be owned and readable only by the CDAP user |
Note: To enable SSL for the CDAP UI and allow self-signed certificates, add this property to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
|
|
Enabling Access Logging
To enable access logging, add the following to logback.xml
(typically under /etc/cdap/conf/
)
Code Block |
---|
<appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>access.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>access.log.%d{yyyy-MM-dd}</fileNamePattern>
<maxHistory>30</maxHistory>
</rollingPolicy>
<encoder>
<pattern>%msg%n</pattern>
</encoder>
</appender>
<logger name="http-access" level="TRACE" additivity="false">
<appender-ref ref="AUDIT" />
</logger>
<appender name="EXTERNAL_AUTH_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>external_auth_access.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>external_auth_access.log.%d{yyyy-MM-dd}</fileNamePattern>
<maxHistory>30</maxHistory>
</rollingPolicy>
<encoder>
<pattern>%msg%n</pattern>
</encoder>
</appender>
<logger name="external-auth-access" level="TRACE" additivity="false">
<appender-ref ref="EXTERNAL_AUTH_AUDIT" />
</logger> |
You may also configure the file being logged to by changing the path under <file>...</file>
.
Configuring Authentication Mechanisms
...