CDAP integrates with Apache Hadoop Key Management Server (KMS) as the backend for Secure Storage. To use this secure storage implementation, set security.store.provider to kms in cdap-site.xml.
...
Additionally, the /etc/hadoop/kms-acls.xml file on the KMS host should be updated to include users with appropriate permissions.
If impersonation is enabled and KMS-backed secure storage is used from programs, the impersonated user should be provided appropriate permissions in the
/etc/hadoop/kms-acls.xml.If it is used through the Secure Storage Microservices, the CDAP logged-in user should be provided appropriate permissions in the
/etc/hadoop/kms-acls.xml.
On a cluster managed with Cloudera Manager, these permissions can be set in the Key Management Server Advanced Configuration Snippet (Safety Valve) for kms-acls.xml setting on the Configuration page for KMS.