Internal Security
CDAP internal identity is a new feature released as part of CDAP 6.6 which adds authn/z requirements to internal system services. When internal identity is enabled, administrators can expect to no longer receive authorization requests to their access enforcer extensions from internal principals.
Setup
CDAP must be configured with a shared secret file that all system services must have access to. To generate the shared secret file, use the AuthenticationTool:
docker run -it --rm \
--mount type=bind,source=$(pwd),target=/auth
gcr.io/cdapio/cdap:latest \
io.cdap.cdap.security.tools.AuthenticationTool -g /auth/auth.key
Next, ensure the key file (/auth/auth.key
) is available to every system service. In Kubernetes, this can be done by creating a new secret and mounting it as a file in the pod:
kubectl create secret generic cdap-auth \
--from-file=auth.key
Alternatively, in distributed mode, other key managers (for example, the DistributedKeyManager leveraging ZooKeeper) can be used. However, the same key must be available to all system services or internal token verification will fail.
Required Configurations
The following table describes the required configurations for cdap-site.xml
.
Property | Value | Description |
---|---|---|
|
| Flag for enabling the internal identity feature. |
|
| The path to the key generated in the Setup step for FileBasedKeyManager. |
Created in 2020 by Google Inc.