Configuring Proxy Authentication Mode
Starting in CDAP 6.4.0, CDAP supports a mode of authentication which happens in an upstream proxy as shown in the diagram below:
In this situation, all requests coming into the CDAP backend are already authenticated, and the proxy injects user identity information in HTTP request headers in order to propagate the user identity to CDAP for authorization. In PROXY mode, CDAP does not perform any authentication; rather, all requests coming into CDAP are implicitly trusted.
Background
The proxy may propagate two values, the User Identity and the User Credentials, to CDAP. CDAP creates a corresponding Principal object with the name directly set as the User Identity and the credentials set as the credentials. The Principal is then used to pass this information to the user-provided authorization extension to perform authorization enforcement via the Authorizer and AuthorizationEnforcer SPIs.
The User Identity is passed from the proxy to CDAP via a configurable header, whereas the User Credentials are passed to CDAP via the Authorization header. The User Identity is required for audit logging purposes and, as such, must be included on every request, whereas the User Credentials are optional.
Configuration
These are the list of additional configurations specified in cdap-site.xml that will be used while setting up for proxy mode:
security.authentication.mode
security.authentication.proxy.user.identity.header
security.authentication.propagate.user.credentials
For more information about these parameters, see Security parameters (cdap-site.xml and cdap-default.xml).
Created in 2020 by Google Inc.