Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CDAP integrates with Apache Hadoop Key Management Server (KMS) as the backend for Secure Storage. To use this secure storage implementation, set security.store.provider to kms in cdap-site.xml.

...

Additionally, the /etc/hadoop/kms-acls.xml file on the KMS host should be updated to include users with appropriate permissions.

  • If impersonation is enabled and KMS-backed secure storage is used from programs, the impersonated user should be provided appropriate permissions in the /etc/hadoop/kms-acls.xml.

  • If it is used through the Secure Storage Microservices, the CDAP logged-in user should be provided appropriate permissions in the /etc/hadoop/kms-acls.xml.

On a cluster managed with Cloudera Manager, these permissions can be set in the Key Management Server Advanced Configuration Snippet (Safety Valve) for kms-acls.xml setting on the Configuration page for KMS.