Security parameters (cdap-site.xml and cdap-default.xml)

Parameter Name

Default Value

Description

Parameter Name

Default Value

Description

cdap.master.kerberos.keytab

 

The full path to the Kerberos keytab file containing the CDAP Master service's credentials

security.authentication.mode

MANAGED

Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers.

security.authentication.propagate.user.credentials

false

Determines whether credentials in the Authorization header of requests are propagated from the request router to the rest of the backend handlers. Should be false unless the authorization extension requires the end-user credential to authorize users.

security.authentication.proxy.user.identity.header

CDAP-UserId

The header to extract the user identity from. The user identity header must be provided for PROXY mode to function, and CDAP requires that the header must be set on all requests to the backend.

cdap.master.kerberos.principal

 

Example: "CDAP_PRINCIPAL/_HOST@EXAMPLE.COM". The Kerberos primary user that should be used to login to the CDAP Master service. Substitute the Kerberos primary (user) for CDAP_PRINCIPAL, and your domain for EXAMPLE.COM. The string "_HOST" will be substituted with the local hostname.

cdap.ugi.cache.expiration.ms

3600000

UserGroupInformation cache entry expiration time in milliseconds. It is only used when impersonation is enabled.

kerberos.auth.enabled

${security.enabled}

Determines if Kerberos authentication is enabled.

kerberos.auth.relogin.interval.seconds

300

Re-login interval in seconds for Kerberos keytab.

security.auth.server.announce.urls

 

CDAP Authentication service announce URL's separated by comma. Each URL is in the format of protocol://host:port. These are the URL's that clients should use to communicate with the Authentication Server. Leave empty to use the default value generated by the Authentication Server.

security.auth.server.bind.address

0.0.0.0

CDAP Authentication service bind address.

security.auth.server.bind.port

10009

CDAP Authentication service bind port.

security.auth.server.ssl.bind.port

10010

CDAP Authentication service bind port for HTTPS.

security.authentication.basic.realmfile

 

Username and password file to use when basic authentication is configured.

security.authentication.handlerClassName

 

Name of the authentication implementation to use to validate user credentials.

security.authentication.loginmodule.className

 

JAAS LoginModule implementation to use when io.cdap.security.server.JAASAuthenticationHandler is configured for ${security.authentication.handlerClassName}

security.authorization.cache.max.entries

100000

Number of entries to hold in the container authorization cache. If set to 0, no caching will be performed.

security.authorization.extension.config.cache.max.entries

${security.authorization.cache.max.entries}

Number of entries to hold in the container authorization cache. If set to 0, no caching will be performed.

security.authorization.cache.ttl.secs

300

The time-to-live in seconds for entries in the authorization cache used by programs and system services outside of CDAP Master.

security.authorization.extension.config.cache.ttl.secs

${security.authorization.cache.ttl.secs}

The time-to-live in seconds for entries in the authorization cache used by programs and system services outside of CDAP Master.

security.authorization.enabled

false

When set to true, all operations in CDAP are authorized using the authorizer implementation found at the property ${security.authorization.extension.jar.path}

security.authorization.extension.jar.path

 

If an external authorization system is used for authorizing operations on CDAP entities, this property sets the path to the bundled JAR file containing the extension code. This jar is only used when authorization is enabled by setting ${security.authorization.enabled} to true.

security.authorization.extension.operation.time.warn.threshold.ms

5000

Time taken by an authorization extension to perform an enforce operation is recorded and logged at TRACE level. This property sets the upper limit for the time taken by the extension in milliseconds after which it is logged at WARN level rather than TRACE.

security.data.keyfile.path

${local.data.dir}/security/keyfile

Path to the secret key file (only used in CDAP Local Sandbox).

security.enabled

false

Determines if authentication is enabled for CDAP; if true, all requests to CDAP must provide a valid access token.

security.keytab.path

 

The location of Kerberos keytabs used for impersonation. The location can contain ${name}, which will be replaced by the short user name of the principal being impersonated.

security.realm

cdap

Authentication realm used for scoping security; this value should be unique for each installation of CDAP.

security.server.extended.token.expiration.ms

604800000

Admin tool access token expiration time in milliseconds; defaults to 1 week (internal).

security.server.maxthreads

100

Maximum number of threads that the CDAP Authentication service should use for handling HTTP requests.

security.server.token.expiration.ms

86400000

Access token expiration time in milliseconds; defaults to 24 hours.

security.store.file.name

securestore

Name of the secure store file.

security.store.extensions.dir

/opt/cdap/master/ext/securestores

Semicolon-separated list of local directories that are scanned for secure store extensions.

security.store.file.path

${local.data.dir}/store

Location of the encrypted file which holds the secure store entries.

security.store.provider

none

Backend provider for the secure store. Values can be none if no secure store, kms for Hadoop KMS based store or name of the secure store extension. If the provider is set to file, then the user must provide the password to be used to access the keystore. The password can be set using security.store.file.password property in cdap-security.xml. KMS based provider is supported for Apache Hadoop 2.6.0 and above versions.

security.token.digest.algorithm

HmacSHA256

Algorithm used for generating MAC of access tokens.

security.token.digest.key.expiration.ms

3600000

Duration in milliseconds after which an active secret key used for signing tokens should be retired.

security.token.digest.keylength

128

Key length used in generating the secret keys for generating MAC of access tokens.

security.token.distributed.parent.znode

/${root.namespace}/security/auth

Parent node in ZooKeeper used for secret key distribution in Distributed CDAP.

ssl.external.enabled

false

Enable SSL for external services.

ssl.internal.enabled

false

Enable SSL between internal services.

ssl.internal.cert.path

 

File path to certificate and private key file in PEM format to use when ssl.internal.enabled is set to true.

Created in 2020 by Google Inc.