...
The simplest way to identity a client is to authenticate against a realm file. To configure basic authentication, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Name of the class handling authentication. |
|
| An absolute or relative path to the realm file. |
The realm file is of the following format:
...
You can configure CDAP to authenticate against an LDAP instance by adding these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Name of the class handling authentication. |
|
| Name of a class used as a custom login module for authentication. |
|
| Set to |
|
| LDAP server host. |
|
| LDAP server port. |
|
| Distinguished Name of the root for user account entries in the LDAP directory. |
|
| LDAP Object attribute for username when search by role DN. |
|
| LDAP Object class used to store user entries. |
In addition, you may configure these optional properties in cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| LDAP Object attribute containing the username. |
|
| LDAP Object attribute containing the user password. |
|
| Distinguished Name of the root of the LDAP tree to search for group memberships. |
|
| LDAP Object attribute specifying the group name. |
|
| LDAP Object attribute specifying the group members. |
|
| LDAP Object class used to store group entries. |
If the LDAP instance requires binding as a specific user, you may configure these optional properties in cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| The Distinguished Name used to bind to the LDAP server and search the directory. |
|
| The password used to bind to the LDAP server. |
To enable SSL between the authentication server and the LDAP instance, configure these properties in cdap-site.xml
:
Property | Default Value | Value | Description |
---|---|---|---|
|
|
| Set to |
|
|
| Set to |
LDAP with Active Directory
The following properties are listed as "optional" for LDAP but are required if you are using LDAP with Active Directory:
security.authentication.handler.userIdAttribute
security.authentication.handler.bindDn
security.authentication.handler.bindPassword
When using group based authentication, you will need the following properties to further filter the access:
security.authentication.handler.roleBaseDn
security.authentication.handler.roleMemberAttribute
security.authentication.handler.roleNameAttribute
security.authentication.handler.roleObjectClass
For Active Directory, the property security.authentication.handler.userBaseDn
should NOT include the group information. It should return the full list of users in the organization or domain. The group information should be included in the property security.authentication.handler.roleBaseDn
and will only allow access to these users.
...
To authenticate a user using JASPI (Java Authentication Service Provider Interface), add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Name of the class handling authentication. |
|
| Name of the class of the login module handling authentication. |
In addition, any properties with the prefix security.authentication.handler.
, such as security.authentication.handler.hostname
, will be provided to the handler. These properties, stripped of the prefix, will be used to instantiate the javax.security.auth.login.Configuration
used by the LoginModule
.
...
Sometimes, you need to exempt certain URLs from authentication. For example, you might want to secure your entire application, except that you want to allow management of artifacts by unauthenticated clients. For this, you can configure the CDAP Router to bypass the authentication for URLs that match a given regular expression, by adding this property in cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Regular expression to match URLs that are exempt from authentication. |
For example, the following configuration in cdap-site.xml
will allow unauthenticated calls to the artifact endpoints in the default namespace:
...