Enabling Authorization

To enable authorization in Distributed CDAP, add these properties to cdap-site.xml:

Parameter

Value

Parameter

Value

security.authorization.enabled

true

security.authorization.extension.jar.path

Absolute path of the JAR file to be used as the authorization extension. This file must be present on the local file system of the CDAP Master. In an HA environment, it should be present on the local file system of all CDAP Master hosts.

security.authorization.extension.extra.classpath (Optional)

Extra classpath for security extension.

Authorization in CDAP only takes effect once perimeter security is also enabled by setting security.enabled to true. Additionally, Kerberos must be enabled on the cluster and for CDAP by setting kerberos.auth.enabled to true since CDAP Authorization depends on Kerberos.

These additional properties can also be optionally modified to configure authorization:

  • security.authorization.cache.max.entries

  • security.authorization.cache.ttl.secs

For more information on these configuration settings, see cdap-defaults.xml.

Authorization in CDAP is implemented as authorization extensions. Apart from the above configuration settings, an extension may require additional properties to be configured. See the documentation on individual extensions for configuring properties specific to that extension.

Security extension properties, which are specified in cdap-site.xml, begin with the prefix security.authorization.extension.config.

When CDAP is first started with authorization enabled, no users are granted privileges on any CDAP entities. Without any privileges, CDAP will not be able to create the default namespace. To create the default namespace, grant ADMIN on default namespace to the CDAP master user. The default namespace will get created in several minutes automatically.

Created in 2020 by Google Inc.