Cask Data Application Platform (CDAP) supports securing clusters using various mechanisms such as Perimeter SecurityAuthorizationImpersonationEnabling SSL for System Services, and Secure Storage. This section covers how to set up these security mechanisms on a secure CDAP instance.

Additional security information, including client APIs, the authentication process, developing authorization extensions, and authorization policies is covered in Platform Security.

We recommend that in order for CDAP to be secure, CDAP security should always be used in conjunction with secure Hadoop clusters. In cases where secure Hadoop is not or cannot be used, it is inherently insecure and any applications running on the cluster are effectively "trusted”. Although there is still value in having perimeter security, authorization enforcement, and secure storage in that situation, whenever possible a secure Hadoop cluster should be employed with CDAP security.

CDAP Security is configured in the files cdap-site.xml and cdap-security.xml:

  • cdap-site.xml has non-sensitive information, such as the type of authentication, authorization, and secure storage mechanisms, and their configuration.

  • cdap-security.xml is used to store sensitive information such as keystore passwords and SSL certificate keys. It should be owned and readable only by the CDAP user.

These files are shown in Appendix: cdap-site.xml, cdap-default.xml, and Appendix: cdap-security.xml.

File paths shown in this section are either absolute paths or, in the case of CDAP Sandbox, can be relative to the CDAP Sandbox installation directory.

Created in 2020 by Google Inc.