Internal Security

CDAP internal identity is a new feature released as part of CDAP 6.6 which adds authn/z requirements to internal system services. When internal identity is enabled, administrators can expect to no longer receive authorization requests to their access enforcer extensions from internal principals.


CDAP must be configured with a shared secret file that all system services must have access to. To generate the shared secret file, use the AuthenticationTool:

docker run -it --rm \
--mount type=bind,source=$(pwd),target=/auth \ -g /auth/auth.key

Next, ensure the key file (/auth/auth.key) is available to every system service. In Kubernetes, this can be done by creating a new secret and mounting it as a file in the pod:

kubectl create secret generic cdap-auth \

Alternatively, in distributed mode, other key managers (for example, the DistributedKeyManager leveraging ZooKeeper) can be used. However, the same key must be available to all system services or internal token verification will fail.

Required Configurations

The following table describes the required configurations for cdap-site.xml.









Flag for enabling the internal identity feature.


The path to the key generated in the Setup step for FileBasedKeyManager.