Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Cask Data Application Platform (CDAP) supports securing clusters using perimeter security. With perimeter security, cluster nodes can communicate with each other, but outside clients can only communicate with the cluster through a secured host.

Using CDAP security, the CDAP authentication server issues credentials (access tokens) to authenticated clients. Clients then send these credentials on requests to CDAP. Only calls with valid access tokens will be accepted, rejecting access to un-authenticated clients. In addition, access logging can be enabled in CDAP to provide an audit log of all operations.

Configuring Security

Security configuration is covered in the Security section.

Client Authentication

Client Authentication covers:

  • Authentication Process

  • Supported Authentication Mechanisms

  • Obtaining an Access Token

  • Authentication with RESTful Endpoints

Authentication Client Libraries

Two authentication client libraries are included with CDAP:

  • CDAP Authentication Client for Java

  • CDAP Authentication Client for Python

Custom Authentication

If the standard authentication mechanisms are not sufficient, you can provide a custom authentication mechanism.

Authorization Extensions

Authorization Extensions: Authorization backends for CDAP are implemented as extensions. Extensions run in their own, isolated classloader so that there are no conflicts with the system classloader of CDAP Master.

Impersonation

Impersonation allows users to run programs and access datasets and other resources as pre-configured users (a principal). Currently, CDAP supports configuring impersonation at a namespace and at an application level, with application level configuration having a higher precedence than namespace level.

If impersonation is enabled, and you don't specify a principal for an application or dataset, then the namespace owner's principal is used. If there is no namespace owner or you are using the default namespace, then the default principal is used (as set by the properties cdap.master.kerberos.keytab and cdap.master.kerberos.principal in the cdap-site.xml).

  • No labels

Created in 2020 by Google Inc.