CDAP internal identity is a new feature released as part of CDAP 6.6 which adds authn/z requirements to internal system services. When internal identity is enabled, administrators can expect to no longer receive authorization requests to their access enforcer extensions from internal principals.

Setup

CDAP must be configured with a shared secret file that all system services must have access to. To generate the shared secret file, use the AuthenticationTool:

docker run -it --rm \
--mount type=bind,source=$(pwd),target=/auth
gcr.io/cdapio/cdap:latest \
io.cdap.cdap.security.tools.AuthenticationTool -g /auth/auth.key

Next, ensure the key file (/auth/auth.key) is available to every system service. In Kubernetes, this can be done by creating a new secret and mounting it as a file in the pod:

kubectl create secret generic cdap-auth \
--from-file=auth.key

Alternatively, in distributed mode, other key managers (for example, the DistributedKeyManager leveraging ZooKeeper) can be used. However, the same key must be available to all system services or internal token verification will fail.

Required Configurations

The following table describes the required configurations for cdap-site.xml.