...
We recommend that in order for CDAP to be secure, CDAP security should always be used in conjunction with secure Hadoop clusters. In cases where secure Hadoop is not or cannot be used, it is inherently insecure and any applications running on the cluster are effectively "trusted”. Although there is still value in having perimeter security, authorization enforcement, and secure storage in that situation, whenever possible a secure Hadoop cluster should be employed with CDAP security.
...
cdap-site.xmlhas non-sensitive information, such as the type of authentication, authorization, and secure storage mechanisms, and their configuration.cdap-security.xmlis used to store sensitive information such as keystore passwords and SSL certificate keys. It should be owned and readable only by the CDAP user.
These files are shown in Appendix: cdap-site.xml, cdap-default.xml, and Appendix: cdap-security.xml.
...