Follow the instructions below to enable perimeter security, either for CDAP Sandbox or Distributed CDAP. Client authentication, once security has been enabled, is described in Client Authentication.
To enable security in CDAP Sandbox, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Enables authentication for CDAP. When set to |
|
| Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers. |
|
| CDAP Authentication service announce URL's separated by comma. Each URL is in the format of These are the URL's that clients should use to communicate with the Authentication Server. Leave empty to use the default value generated by the Authentication Server. |
|
| IP address that the CDAP Authentication Server should bind to (default value shown). |
|
| CDAP Authentication service bind port (default value shown). |
Next, Client Authentication needs to be configured, as described in Configuring Authentication Mechanisms. With CDAP Sandbox, the simplest is basic authentication.
To enable security in Distributed CDAP, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Enables authentication for CDAP. When set to |
|
| Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers. |
|
| CDAP Authentication service announce URL's separated by comma. Each URL is in the format of These are the URL's that clients should use to communicate with the Authentication Server. Leave empty to use the default value generated by the Authentication Server. |
|
| IP address that the CDAP Authentication Server should bind to (default value shown). |
|
| CDAP Authentication service bind port (default value shown). |
To configure Kerberos authentication for various CDAP services, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
|
|
|
| Kerberos keytab file path, either absolute or relative. |
|
| Kerberos principal associated with the keytab. |
To configure ZooKeeper to enable SASL authentication, add the following to your zoo.cfg
:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true |
This will let ZooKeeper use the SASLAuthenticationProvider
as an auth provider, and the jaasLoginRenew
line will cause the ZooKeeper server to renew its Kerberos ticket once an hour.
Then, create a jaas.conf
file for your ZooKeeper server:
Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/zookeeper.keytab" storeKey=true useTicketCache=false principal="<your-zookeeper-principal>"; }; |
The keytab file must be readable by the ZooKeeper server, and <your-zookeeper-principal>
must correspond to the keytab file.
Finally, start ZooKeeper server with the following JVM option:
-Djava.security.auth.login.config=/path/to/jaas.conf |
To enable running the CDAP Router with SSL, add this property to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
|
|
Without SSL, unless set specifically, these properties have the following default values:
Property | Default Value | Description |
---|---|---|
|
| Port number that the CDAP Router should bind to for HTTP Connections. |
|
| Port number that the CDAP Authentication Server should bind to for HTTP Connections. |
|
| Port number that the CDAP UI should bind to for HTTP Connections. |
With SSL, unless set specifically, these properties have the following default values:
Property | Default Value | Description |
---|---|---|
|
| Port number that the CDAP router should bind to for HTTPS Connections. |
|
| Port number that the CDAP Authentication Server should bind to for HTTPS Connections. |
|
| Port number that the CDAP UI should bind to for HTTPS Connections. |
To configure the granting of AccessToken
s via SSL, add these properties to cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| Keystore file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| Keystore password |
|
| Keystore key password |
|
| Keystore file type (default |
To configure client certificate based authentication via 2-way SSL, add these properties to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
| Truststore file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| Keystore password |
|
| Keystore file type (default |
To configure SSL for the Router, add these properties to cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| Keystore file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| Keystore password |
|
| Keystore key password |
|
| Keystore file type (default |
To enable SSL for the CDAP UI, add these properties to cdap-security.xml
:
Property | Value | Description |
---|---|---|
|
| SSL cert file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| SSL key file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
Note: To enable SSL for the CDAP UI and allow self-signed certificates, add this property to cdap-site.xml
:
Note: To enable SSL for the CDAP UI and allow self-signed certificates, add this property to cdap-site.xml
:
Property | Value | Description |
---|---|---|
|
|
|
To enable access logging, add the following to logback.xml
(typically under /etc/cdap/conf/
):
<appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>access.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>access.log.%d{yyyy-MM-dd}</fileNamePattern> <maxHistory>30</maxHistory> </rollingPolicy> <encoder> <pattern>%msg%n</pattern> </encoder> </appender> <logger name="http-access" level="TRACE" additivity="false"> <appender-ref ref="AUDIT" /> </logger> <appender name="EXTERNAL_AUTH_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>external_auth_access.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>external_auth_access.log.%d{yyyy-MM-dd}</fileNamePattern> <maxHistory>30</maxHistory> </rollingPolicy> <encoder> <pattern>%msg%n</pattern> </encoder> </appender> <logger name="external-auth-access" level="TRACE" additivity="false"> <appender-ref ref="EXTERNAL_AUTH_AUDIT" /> </logger> |
You may also configure the file being logged to by changing the path under <file>...</file>
.