Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

CDAPCDAP CDAP installation on Kubernetes was introduced in CDAP 6.2.3.

...

To enable the Authentication Service in K8s environment to provide Perimeter Security, extra configurations are needed in the CDAP YAML file.

  1. Set the following configurations in the CDAP YAML file "config:" section.

    Code Block
    languagebash
    # Enable perimeter security 
    security.enabled: "true"
    # A key file generated by the AuthenticationTool that is mapped into the pod via k8s secret (see below for instructions)
    security.data.keyfile.path: "/etc/cdap/auth/auth.key"
    # Disable kerberos (it is defaulted to true when security.enabled is true)
    kerberos.auth.enabled: "false"
  2. Add configurations for the the authentication handler based on Configuring Managed Authentication under the "config:" section.

  3. Use the CDAP docker image to generate an "auth.key" file.

    Code Block
    docker run -it --rm \
      --mount type=bind,source=$(pwd),target=/auth \
      gcr.io/cdapio/cdap:latest \
      io.cdap.cdap.security.tools.AuthenticationTool -g /auth/auth.key
  4. Create a k8s secret from the "auth.key" file.

    Code Block
    kubectl create secret generic cdap-auth --from-file=auth.key
  5. Add the secret to the CDAP YAML file to map the secret into CDAP pods by adding a "secretVolumes" (same level as other options, like "config").

    Code Block
    config:
      ....
    secretVolumes:
      cdap-auth: "/etc/cdap/auth"

Now, you can start CDAP with security enabled, without needing Zookeeper.

...