Authorization Extensions
Authorization backends in CDAP are implemented as extensions, and are loaded and executed in their own Java classloader.
The reason for implementing them as extensions is that a variety of existing authorization systems can then be plugged into CDAP, and can execute using their own classloader without having to worry about conflicts with CDAP's system classloader. Each authorization extension is designed to be a fully self-contained JAR file, packaged with the required versions of all its dependencies.
This is similar to how CDAP applications are packaged. Having the required dependencies loaded from a separate class loader constructed using the provided JAR file ensures that there will be no conflicts, even if CDAP itself uses a different version of the library than the one that the extension requires.
Writing Your Own Authorization Extension
CDAP provides an authorization SPI (Service Provider Interface) for users to implement their own authorization extensions. To implement an authorization extension:
Create a Maven project using the CDAP Application Archetype, as described in Creating an Application.
Implement your authorization extension by extending theÂ
AbstractAuthorizer
 class.This class must be specified as theÂ
Main-Class
 attribute in the extension JAR's manifest file. This will be done automatically if you specify theÂapp.main.class
 property to be the fully qualified class name in theÂpom.xml
 of the Maven project generated using the archetype.The class that extendsÂ
AbstractAuthorizer
 must have a default constructor, as that default constructor is the one that will be invoked by CDAP.All dependencies of the class must be packaged within the JAR file containing the authorizer class. This is also done automatically by the CDAP Application Archetype.
TheÂ
AbstractAuthorizer
 class provides lifecycle methods for authorization extensions. Any initialization code should be implemented by overriding theÂinitialize
 method. Cleanup code should be implemented by overriding theÂdestroy
 method.TheÂ
initialize
 method provides anÂAuthorizationContext
 object. This object can be used to obtain access to—and perform admin operations on—CDAP Datasets and Secure Keys.If the authorization extension requires configuration parameters, they are provided in theÂ
AuthorizationContext
 object as a JavaÂProperties
 object via theÂgetProperties
 method. TheÂProperties
 object is populated with configuration parameters fromÂcdap-site.xml
 with the prefixÂsecurity.authorization.extension.config
.Note:Â In theÂ
Properties
 object, these configuration parameters are available with theÂsecurity.authorization.extension.config
 prefix removed. For example:Âsecurity.authorization.extension.config.example.property
 in theÂcdap-site.xml
 will be available asÂexample.property
 in theÂProperties
 object.
Â
Created in 2020 by Google Inc.