CDAP Authentication Client for Java

The Authentication Client API can be used for fetching the access token from the CDAP authentication server to interact with a secure CDAP cluster.

Supported Actions

  • Check that authentication is enabled in the CDAP cluster.

  • Fetch an access token from the authentication server with credentials supported by the active authentication mechanism.

The default implementation of the authentication client—BasicAuthenticationClient—supports the default authentication mechanisms supported by CDAP:

  • Basic Authentication

  • LDAP

  • JASPI

Custom Authentication Mechanism

If CDAP is configured to use a custom authentication mechanism, a custom authentication client will have to be written to fetch the access token. The custom authentication clients needs to implement the AuthenticationClient interface. The AbstractAuthenticationClient class contains common functionality required by authentication clients, and can be extended by the custom authentication client. The custom authentication client has to be placed into the classpath of the application that needs to use it.

Build

To build the Authentication Client API jar, use:

mvn clean package

Usage

To use the Authentication Client API, include this Maven dependency in your project's pom.xml file:

<dependency> <groupId>io.cdap.cdap</groupId> <artifactId>cdap-authentication-client</artifactId> <version>{version}</version> </dependency>

Examples

Create an Authentication Client instance

String defaultAuthClientClass = "io.cdap.cdap.security.authentication.client.basic.BasicAuthenticationClient"; String authClientClassName = properties.getProperty("security.auth.client.class.name", defaultAuthClientClass); AuthenticationClient authenticationClient = (AuthenticationClient) Class.forName(authClientClassName).newInstance();

Creating an Authentication Client using a configuration parameter as shown above allows plugging in custom implementations of Authentication Client.

Set the CDAP connection information

  • hostname

  • port

  • boolean flag, true if SSL is enabled

Example:

This method should be called only once for every AuthenticationClient object.

Check if authentication is enabled in the CDAP cluster

Configure Authentication Client

If authentication is enabled, configure the Authentication Client with user credentials and other properties (this method should be called only once for every AuthenticationClient object):

Note:

  • The BasicAuthenticationClient requires these user credentials:

    • security.auth.client.username=username

    • security.auth.client.password=password

  • When SSL is enabled, to suspend certificate checks and allow self-signed certificates, set security.auth.client.verify.ssl.cert=false.

  • For non-interactive applications, user credentials will come from a configuration file.

  • For interactive applications, see the section “Interactive Applications” below on retrieving and using user credentials.

Retrieve the access token

Retrieve the access token for the user from the authentication server, and use it:

If there is an error while fetching the access token, an IOException will be thrown. The Authentication Client caches the access token until the token expires. It automatically re-fetches a new token upon expiry.

Interactive Applications

This example illustrates obtaining user credentials in an interactive application, and then configuring the Authentication Client with the retrieved credentials:

 

Created in 2020 by Google Inc.