Platform Security
CDAP supports securing clusters using perimeter security. With perimeter security, cluster nodes can communicate with each other, but outside clients can only communicate with the cluster through a secured host.
Using CDAP security, the CDAP authentication server issues credentials (access tokens) to authenticated clients. Clients then send these credentials on requests to CDAP. Only calls with valid access tokens will be accepted, rejecting access to un-authenticated clients. In addition, access logging can be enabled in CDAP to provide an audit log of all operations.
Configuring Security
Security configuration is covered in the Security section.
Client Authentication
Client Authentication covers:
Authentication Process
Supported Authentication Mechanisms
Obtaining an Access Token
Authentication with RESTful Endpoints
Authentication Client Libraries
Two authentication client libraries are included with CDAP:
CDAP Authentication Client for Java
CDAP Authentication Client for Python
Custom Authentication
If the standard authentication mechanisms are not sufficient, you can provide a custom authentication mechanism.
Authorization Extensions
Authorization Extensions:Â Authorization backends for CDAP are implemented as extensions. Extensions run in their own, isolated classloader so that there are no conflicts with the system classloader of CDAP Master.
Impersonation
Impersonation allows users to run programs and access datasets and other resources as pre-configured users (a principal). Currently, CDAP supports configuring impersonation at a namespace and at an application level, with application level configuration having a higher precedence than namespace level.
If impersonation is enabled, and you don't specify a principal for an application or dataset, then the namespace owner's principal is used. If there is no namespace owner or you are using the default namespace, then the default principal is used (as set by the properties cdap.master.kerberos.keytab
 and cdap.master.kerberos.principal
 in the cdap-site.xml
).
Created in 2020 by Google Inc.