CDAP internal identity is a new feature released as part of CDAP 6.6 which adds authn/z requirements to internal system services. When internal identity is enabled, administrators can expect to no longer receive authorization requests to their access enforcer extensions from internal principals.
CDAP must be configured with a shared secret file that all system services must have access to. To generate the shared secret file, use the AuthenticationTool:
Alternatively, in distributed mode, other key managers (for example, the DistributedKeyManager leveraging ZooKeeper) can be used. However, the same key must be available to all system services or internal token verification will fail.
The following table describes the required configurations for cdap-site.xml.
Flag for enabling the internal identity feature.
The path to the key generated in the Setup step for FileBasedKeyManager.