Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this situation, all requests coming into the CDAP backend are already authenticated, and the proxy injects user identity information in HTTP request headers in order to propagate the user identity to CDAP for authorization. In PROXY mode, CDAP does not perform any authentication; rather, all requests coming into CDAP are implicitly trusted.

Background

The proxy may propagate two values, the User Identity and the User Credentials, to CDAP. CDAP creates a corresponding Principal object with the name directly set as the User Identity and the credentials set as the credentials. The Principal is then used to pass this information to the user-provided authorization extension to perform authorization enforcement via the Authorizer and AuthorizationEnforcer SPIs.

The User Identity is passed from the proxy to CDAP via a configurable header, whereas the User Credentials are passed to CDAP via the Authorization header. The User Identity is required for audit logging purposes and, as such, must be included on every request, whereas the User Credentials are optional.

Configuration

These are the list of additional configurations specified in cdap-site.xml that will be used while setting up for proxy mode:

...