1. Key Management

2. Secure impersonation

3. Authorization of dataset and stream access

4. Authorization for listing and viewing entities

5. Ability to map a namespace to user-provided storage provider namespaces

6. Cross-namespace dataset access

7. Support long-running programs in secure (kerberos) mode

1. As a CDAP security admin, I want CDAP programs to be run as the user running the program, and not as the headless "cdap" user. (User Impersonation)

2. As a CDAP user, I would like to specify a user for a namespace and all program running in that namespace should be run as the specified user. (User Impersonation)

3. As a CDAP/Hydrator security admin, I want all sensitive information like passwords not be stored in plaintext. (Key Management)

4. As a CDAP security admin, I want all operations on datasets/streams to be governed by my configured authorization system. (Authorization)

5. As a CDAP security admin, I want list operations for all CDAP entities to only return entities that the logged-in user is authorized to view. (Authorization)

6. As a CDAP security admin, I want view operations for a CDAP entity to only succeed if the logged-in user is authorized to view that entity (Authorization)

7. As a CDAP user, I would like to specify the namespace in an underlying storage provider (e.g. HBase namespace, Hive database) to use for a particular CDAP namespace. (Namespaces)

8. As a CDAP admin, I want to allow users to access a dataset from a program in a different namespace, as long as the said user is authorized to access that dataset. (Namespaces)

9. As a CDAP user, I want to be able to run long running Mapreduce, Spark or Hive programs on a secure (kerberos-enabled) cluster.

Hue Integration

Namespace - Security 3.5

Authorization - CDAP 3.5

Secure Impersonation - Security 3.5