{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Applications can need controlled access to sensitive data such as passphrases, cryptographic keys, access tokens, and passwords. This data is usually small in size, but needs to be stored and managed in a secure manner. ","type":"text"},{"text":"Secure Storage","type":"text","marks":[{"type":"em"}]},{"text":" allows users to store such sensitive information in a secure and encrypted manner. Data is encrypted upon submission to CDAP (via Microservices or programmatic APIs) and is decrypted upon retrieval.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Secure Storage Format","type":"text"}]},{"type":"paragraph","content":[{"text":"An entry in secure storage consists of:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Key","type":"text","marks":[{"type":"strong"}]},{"text":": An alias for the entry, also referred to as a secure key. Data is stored against the provided key and can be retrieved using the same key. Key must be of the ","type":"text"},{"text":"Alphanumeric Character Set","type":"text","marks":[{"type":"link","attrs":{"href":"https://cdap.atlassian.net/wiki/spaces/DOCS/pages/477593783/Supported+Characters"}}]},{"text":", contain ","type":"text"},{"text":"only lowercase","type":"text","marks":[{"type":"em"}]},{"text":" characters, and should start with a letter.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Data","type":"text","marks":[{"type":"strong"}]},{"text":": The data which is to be stored in a secure and encrypted manner. This could be a passphrase, cryptographic key, access token, or any other data that needs to be stored securely.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]},{"text":": A description for the secure store entry.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Properties","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"bb160ebf-0d4b-46c8-ba15-58604d8e595d"}},{"type":"strong"}]},{"text":": A string map of properties for the secure storage entry. A ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"bb160ebf-0d4b-46c8-ba15-58604d8e595d"}}]},{"text":"creationTime","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"bb160ebf-0d4b-46c8-ba15-58604d8e595d"}},{"type":"code"}]},{"text":" property is added for all secure store entries by default. Optionally, you can add additional properties (key-value pairs) to describe the secure storage entries.","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"bb160ebf-0d4b-46c8-ba15-58604d8e595d"}}]}]}]}]},{"type":"paragraph","content":[{"text":"CDAP provides two different implementations of secure storage, depending on the runtime:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"File-back secure storage (CDAP Sandbox and in-memory CDAP)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Hadoop Key Management Server-backed Secure Storage (Distributed CDAP)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"File-","type":"text"},{"text":"backed","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"f324beac-4795-4417-89cf-e0b57ed0033a"}}]},{"text":" Secure Storage","type":"text"}]},{"type":"paragraph","content":[{"text":"File-backed secure storage is available for use with ","type":"text"},{"text":"in-memory CDAP (unit-test)","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"15c6d088-4099-4bb8-994f-f7cdaa5250ab"}}]},{"text":" and CDAP Sandbox modes. It uses the ","type":"text"},{"text":"Sun JCEKS","type":"text","marks":[{"type":"link","attrs":{"href":"http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement"}}]},{"text":" implementation for storing secure keys. This implementation is not available in Distributed CDAP because it stores the secure data in the local file system, and thus is not available on all nodes of a distributed cluster.","type":"text"}]},{"type":"paragraph","content":[{"text":"To use the file-backed secure storage mode, set these properties:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"cdap-site.xml","type":"text","marks":[{"type":"code"}]},{"text":", set ","type":"text"},{"text":"security.store.provider","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"file","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n security.store.provider\n file\n \n Backend provider for the secure store\n \n","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To protect the secure storage file, in ","type":"text"},{"text":"cdap-security.xml","type":"text","marks":[{"type":"code"}]},{"text":", set ","type":"text"},{"text":"security.store.file.password","type":"text","marks":[{"type":"code"}]},{"text":" to a password:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n security.store.file.password\n your password\n \n Password to access the key store\n \n","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You can also configure ","type":"text"},{"text":"the path and filename of the backing file in ","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"f69a2955-d597-4426-a884-a9cc8cfef539"}}]},{"text":"cdap-site.xml","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"f69a2955-d597-4426-a884-a9cc8cfef539"}},{"type":"code"}]},{"text":" by adding these optional settings","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"f69a2955-d597-4426-a884-a9cc8cfef539"}}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n security.store.file.path\n ${local.data.dir}/store\n \n Location of the encrypted file which holds the secure store entries\n \n\n\n\n security.store.file.name\n securestore\n \n Name of the secure store file\n \n","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Hadoop Key Management Server-backed Secure Storage","type":"text"}]},{"type":"paragraph","content":[{"text":"Hadoop KMS (Key Management Server)-backed","type":"text","marks":[{"type":"link","attrs":{"href":"https://hadoop.apache.org/docs/stable/hadoop-kms/index.html"}}]},{"text":" secure storage is available for use with Distributed CDAP.","type":"text"}]},{"type":"paragraph","content":[{"text":"To use this mode, set this property:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"cdap-site.xml","type":"text","marks":[{"type":"code"}]},{"text":", set ","type":"text"},{"text":"security.store.provider","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"kms","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n security.store.provider\n kms\n \n Backend provider for the secure store\n \n","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For additional information on integration with Hadoop KMS, see ","type":"text"},{"text":"Apache Hadoop Key Management Server (KMS)","type":"text","marks":[{"type":"link","attrs":{"href":"https://cdap.atlassian.net/wiki/spaces/DOCS/pages/480478212/Apache+Hadoop+Key+Management+Server+KMS"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Accessing the Secure Storage","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Secure Storage Microservices","type":"text","marks":[{"type":"link","attrs":{"href":"https://cdap.atlassian.net/wiki/spaces/DOCS/pages/477790661/Security+HTTP+RESTful+API"}}]},{"text":" has endpoints for the management and creation, retrieval, and deletion of secure keys.","type":"text"}]}],"version":1}

Browser not supported