Security parameters (cdap-site.xml and cdap-default.xml)

Parameter Name	Default Value	Description

Parameter Name	Default Value	Description
`cdap.master.kerberos.keytab`		The full path to the Kerberos keytab file containing the CDAP Master service's credentials
`security.authentication.mode`	`MANAGED`	Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers.
`security.authentication.propagate.user.credentials`	`false`	Determines whether credentials in the Authorization header of requests are propagated from the request router to the rest of the backend handlers. Should be false unless the authorization extension requires the end-user credential to authorize users.
`security.authentication.proxy.user.identity.header`	`CDAP-UserId`	The header to extract the user identity from. The user identity header must be provided for PROXY mode to function, and CDAP requires that the header must be set on all requests to the backend.
`cdap.master.kerberos.principal`		Example: "CDAP_PRINCIPAL/_HOST@EXAMPLE.COM". The Kerberos primary user that should be used to login to the CDAP Master service. Substitute the Kerberos primary (user) for CDAP_PRINCIPAL, and your domain for EXAMPLE.COM. The string "_HOST" will be substituted with the local hostname.
`cdap.ugi.cache.expiration.ms`	`3600000`	UserGroupInformation cache entry expiration time in milliseconds. It is only used when impersonation is enabled.
`kerberos.auth.enabled`	`${security.enabled}`	Determines if Kerberos authentication is enabled.
`kerberos.auth.relogin.interval.seconds`	`300`	Re-login interval in seconds for Kerberos keytab.
`security.auth.server.announce.urls`		CDAP Authentication service announce URL's separated by comma. Each URL is in the format of protocol://host:port. These are the URL's that clients should use to communicate with the Authentication Server. Leave empty to use the default value generated by the Authentication Server.
`security.auth.server.bind.address`	`0.0.0.0`	CDAP Authentication service bind address.
`security.auth.server.bind.port`	`10009`	CDAP Authentication service bind port.
`security.auth.server.ssl.bind.port`	`10010`	CDAP Authentication service bind port for HTTPS.
`security.authentication.basic.realmfile`		Username and password file to use when basic authentication is configured.
`security.authentication.handlerClassName`		Name of the authentication implementation to use to validate user credentials.
`security.authentication.loginmodule.className`		JAAS LoginModule implementation to use when io.cdap.security.server.JAASAuthenticationHandler is configured for `${security.authentication.handlerClassName}`
`security.authorization.cache.max.entries`	`100000`	Number of entries to hold in the container authorization cache. If set to 0, no caching will be performed.
`security.authorization.extension.config.cache.max.entries`	`${security.authorization.cache.max.entries}`	Number of entries to hold in the container authorization cache. If set to 0, no caching will be performed.
`security.authorization.cache.ttl.secs`	`300`	The time-to-live in seconds for entries in the authorization cache used by programs and system services outside of CDAP Master.
`security.authorization.extension.config.cache.ttl.secs`	`${security.authorization.cache.ttl.secs}`	The time-to-live in seconds for entries in the authorization cache used by programs and system services outside of CDAP Master.
`security.authorization.enabled`	`false`	When set to true, all operations in CDAP are authorized using the authorizer implementation found at the property `${security.authorization.extension.jar.path}`
`security.authorization.extension.jar.path`		If an external authorization system is used for authorizing operations on CDAP entities, this property sets the path to the bundled JAR file containing the extension code. This jar is only used when authorization is enabled by setting `${security.authorization.enabled}` to true.
`security.authorization.extension.operation.time.warn.threshold.ms`	`5000`	Time taken by an authorization extension to perform an enforce operation is recorded and logged at TRACE level. This property sets the upper limit for the time taken by the extension in milliseconds after which it is logged at WARN level rather than TRACE.
`security.data.keyfile.path`	`${local.data.dir}/security/keyfile`	Path to the secret key file (only used in CDAP Local Sandbox).
`security.enabled`	`false`	Determines if authentication is enabled for CDAP; if true, all requests to CDAP must provide a valid access token.
`security.keytab.path`		The location of Kerberos keytabs used for impersonation. The location can contain `${name},` which will be replaced by the short user name of the principal being impersonated.
`security.realm`	`cdap`	Authentication realm used for scoping security; this value should be unique for each installation of CDAP.
`security.server.extended.token.expiration.ms`	`604800000`	Admin tool access token expiration time in milliseconds; defaults to 1 week (internal).
`security.server.maxthreads`	`100`	Maximum number of threads that the CDAP Authentication service should use for handling HTTP requests.
`security.server.token.expiration.ms`	`86400000`	Access token expiration time in milliseconds; defaults to 24 hours.
`security.store.file.name`	`securestore`	Name of the secure store file.
`security.store.extensions.dir`	`/opt/cdap/master/ext/securestores`	Semicolon-separated list of local directories that are scanned for secure store extensions.
`security.store.file.path`	`${local.data.dir}/store`	Location of the encrypted file which holds the secure store entries.
`security.store.provider`	`none`	Backend provider for the secure store. Values can be `none` if no secure store, `kms` for Hadoop KMS based store or name of the secure store extension. If the provider is set to `file`, then the user must provide the password to be used to access the keystore. The password can be set using `security.store.file.password` property in cdap-security.xml. KMS based provider is supported for Apache Hadoop 2.6.0 and above versions.
`security.token.digest.algorithm`	`HmacSHA256`	Algorithm used for generating MAC of access tokens.
`security.token.digest.key.expiration.ms`	`3600000`	Duration in milliseconds after which an active secret key used for signing tokens should be retired.
`security.token.digest.keylength`	`128`	Key length used in generating the secret keys for generating MAC of access tokens.
`security.token.distributed.parent.znode`	`/${root.namespace}/security/auth`	Parent node in ZooKeeper used for secret key distribution in Distributed CDAP.
`ssl.external.enabled`	`false`	Enable SSL for external services.
`ssl.internal.enabled`	`false`	Enable SSL between internal services.
`ssl.internal.cert.path`		File path to certificate and private key file in PEM format to use when ssl.internal.enabled is set to true.