Using Secure Store

Owned by Nishith Nand
Last updated: Dec 15, 2016 by John Jackson
2 min read

Setting up the secure store

There are a couple of providers that implement the SecureStore and SecureStoreManager interfaces

  • Hadoop KMS based backing store: Secure Store uses the KMS provider configured for the cluster. [Please look at Hadoop Key Management Server]
  • File-based backing store: Secure data is stored with a Java JCEKS based implementation.

To pick the provider the following property needs to be set, the value could either be "kms" for Hadoop KMS based provider or "file" of Java JCEKS based provider. Both without quotes.

The File-based provider is supported in the InMemory and Standalone modes while Hadoop KMS based provider is supported in distributed mode.

 

To use secure store in distributed mode:

<property>
  <name>security.store.provider</name>
  <value>kms</value>
  <description>
    Backend provider for the secure store
  </description>
</property>

 

To use secure store in standalone mode:

<property>
  <name>security.store.provider</name>
  <value>file</value>
  <description>
    Backend provider for the secure store
  </description>
</property>

 

If using the Hadoop KMS based provider, then /etc/hadoop/kms-acls.xml needs to be updated to include users with appropriate permissions. For more details on how to edit that file please look at Hadoop Key Management Server.

If using the file-based provider, the password to control access to the file needs to be set. To set the password please add the following property to your cdap-security.xml. The file (cdap-security.xml ) needs to be created if not already present.

 

<property>
  <name>security.store.file.password</name>
  <value>your password</value>
  <description>
    Password to access the key store
  </description>
</property>

 

If the file based provider is selected, the path and the filename of the backing file can be configured, these settings are optional.


<property>
  <name>security.store.file.path</name>
  <value>${local.data.dir}/store</value>
  <description>
    Location of the encrypted file which holds the secure store entries
  </description>
</property>

 

and 

<property>
  <name>security.store.file.name</name>
  <value>securestore</value>
  <description>
    Name of the secure store file
  </description>
</property>

 

Accessing the store

There are two APIs that enable writing to and reading from the store.

SecureStore provides methods to read the data stored in the secure store and SecureStoreManager provides methods to write to the secure store. 

To see the APIs available please look at the Secure store design doc.

Created in 2020 by Google Inc.