Versions Compared

Old Version 3

changes.mady.by.user Robin Rielley

Saved on

compared with

New Version 4

changes.mady.by.user Robin Rielley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CDAP provides several ways to authenticate a client’s identity:

  • Basic Authentication

  • LDAP Authentication

  • JASPI Authentication

  • Custom Authentication

Basic Authentication

The simplest way to identity a client is to authenticate against a realm file. To configure basic authentication add these properties to cdap-site.xml:

...

In CDAP Sandbox, the realm file can be specified as conf/realmfile and placed with the cdap-site.xml file. Note that it is not advisable to use this method of authentication. In production, we recommend using any of the other methods described below.

LDAP Authentication

You can configure CDAP to authenticate against an LDAP instance by adding these properties to cdap-site.xml:

...

Property

Default Value

Value

Description

security.authentication.handler.useLdaps

false

true

Set to true to enable use of LDAPS

security.authentication.handler.ldapsVerifyCertificate

true

true

Set to true to enable verification of the SSL certificate used by the LDAP server

LDAP with Active Directory

The following properties are listed as "optional" for LDAP but are required if you are using LDAP with Active Directory.

...

For Active Directory, the property security.authentication.handler.userBaseDn should NOT include the group information. It should return the full list of users in the organization or domain. The group information should be included in the property security.authentication.handler.roleBaseDn and will only allow access to these users.

JASPI Authentication

To authenticate a user using JASPI (Java Authentication Service Provider Interface) add these properties to cdap-site.xml:

...

In addition, any properties with the prefix security.authentication.handler., such as security.authentication.handler.hostname, will be provided to the handler. These properties, stripped of the prefix, will be used to instantiate the javax.security.auth.login.Configuration used by the LoginModule.

Custom Authentication

To use a Custom Authentication mechanism, set the security.authentication.handlerClassName in cdap-site.xml with the custom handler's classname. Any properties set in either cdap-site.xml or cdap-security.xml and that are prefixed with security.authentication.handler. are available through a Map<String, String> object and can be used to configure the handler.

...

The Developer Manual Custom Authentication section shows how to create a Custom Authentication Mechanism.

Configuring Exemptions from Authentication

Sometimes you need to exempt certain URLs from authentication. For example, you may want to secure your entire application, except that you want to allow sending data to a stream by unauthenticated clients. For this, you can configure the CDAP Router to bypass the authentication for URLs that match a given regular expression, by adding this property in cdap-site.xml:

...