Enabling Perimeter Security

Follow the instructions below to enable perimeter security, either for CDAP Sandbox or Distributed CDAP. Client authentication, once security has been enabled, is described in Client Authentication.

Enabling Perimeter Security (CDAP Sandbox)

To enable security in CDAP Sandbox, add these properties to cdap-site.xml:

Property

Value

Description

Property

Value

Description

security.enabled

true

Enables authentication for CDAP. When set to true, all requests to CDAP must provide a valid access token.

security.authentication.mode

MANAGED

Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers.

security.auth.server.announce.urls

 

CDAP Authentication service announce URL's separated by comma. Each URL is in the format of protocol://host:port.

These are the URL's that clients should use to communicate with the Authentication Server.

Leave empty to use the default value generated by the Authentication Server.

security.auth.server.bind.address

0.0.0.0

IP address that the CDAP Authentication Server should bind to (default value shown).

security.auth.server.bind.port

10009

CDAP Authentication service bind port (default value shown).

Next, Client Authentication needs to be configured, as described in Configuring Authentication Mechanisms. With CDAP Sandbox, the simplest is basic authentication.

Enabling Perimeter Security (Distributed CDAP)

To enable security in Distributed CDAP, add these properties to cdap-site.xml:

Property

Value

Description

Property

Value

Description

security.enabled

true

Enables authentication for CDAP. When set to true, all requests to CDAP must provide a valid access token.

security.authentication.mode

MANAGED

Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers.

security.auth.server.announce.urls

 

CDAP Authentication service announce URL's separated by comma. Each URL is in the format of protocol://host:port.

These are the URL's that clients should use to communicate with the Authentication Server.

Leave empty to use the default value generated by the Authentication Server.

security.auth.server.bind.address

0.0.0.0

IP address that the CDAP Authentication Server should bind to (default value shown).

security.auth.server.bind.port

10009

CDAP Authentication service bind port (default value shown).

Configuring Kerberos (Optional)

To configure Kerberos authentication for various CDAP services, add these properties to cdap-site.xml:

Property

Value

Description

Property

Value

Description

kerberos.auth.enabled

security.enabled

true to enable Kerberos authentication.

cdap.master.kerberos.keytab

<filepath>

Kerberos keytab file path, either absolute or relative.

cdap.master.kerberos.principal

<principal>

Kerberos principal associated with the keytab.

Configuring ZooKeeper (Optional)

To configure ZooKeeper to enable SASL authentication, add the following to your zoo.cfg:

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true

This will let ZooKeeper use the SASLAuthenticationProvider as an auth provider, and the jaasLoginRenew line will cause the ZooKeeper server to renew its Kerberos ticket once an hour.

Then, create a jaas.conf file for your ZooKeeper server:

Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/zookeeper.keytab" storeKey=true useTicketCache=false principal="<your-zookeeper-principal>"; };

The keytab file must be readable by the ZooKeeper server, and <your-zookeeper-principal> must correspond to the keytab file.

Finally, start ZooKeeper server with the following JVM option:

-Djava.security.auth.login.config=/path/to/jaas.conf

Accessing CDAP Services with SSL

To enable running the CDAP Router with SSL, add this property to cdap-site.xml:

Property

Value

Description

Property

Value

Description

ssl.external.enabled

true

true to enable SSL for external services

Default Ports

Without SSL, unless set specifically, these properties have the following default values:

Property

Default Value

Description

Property

Default Value

Description

router.bind.port

11015

Port number that the CDAP Router should bind to for HTTP Connections.

security.auth.server.bind.port

10009

Port number that the CDAP Authentication Server should bind to for HTTP Connections.

dashboard.bind.port

11011

Port number that the CDAP UI should bind to for HTTP Connections.

With SSL, unless set specifically, these properties have the following default values:

Property

Default Value

Description

Property

Default Value

Description

router.ssl.bind.port

10443

Port number that the CDAP router should bind to for HTTPS Connections.

security.auth.server.ssl.bind.port

10010

Port number that the CDAP Authentication Server should bind to for HTTPS Connections.

dashboard.ssl.bind.port

9443

Port number that the CDAP UI should bind to for HTTPS Connections.

Configuring SSL for the Authentication Server

To configure the granting of AccessTokens via SSL, add these properties to cdap-security.xml:

Property

Value

Description

Property

Value

Description

security.auth.server.ssl.keystore.path

<filepath>

Keystore file location, either absolute or relative. The file should be owned and readable only by the CDAP user.

security.auth.server.ssl.keystore.password

<password>

Keystore password

security.auth.server.ssl.keystore.keypassword

<password>

Keystore key password

security.auth.server.ssl.keystore.type

JKS

Keystore file type (default JKS)

To configure client certificate based authentication via 2-way SSL, add these properties to cdap-site.xml:

Property

Value

Description

Property

Value

Description

security.auth.server.ssl.truststore.path

<filepath>

Truststore file location, either absolute or relative. The file should be owned and readable only by the CDAP user.

security.auth.server.ssl.truststore.password

<password>

Keystore password

security.auth.server.ssl.truststore.type

JKS

Keystore file type (default JKS)

Configuring SSL for the Router

To configure SSL for the Router, add these properties to cdap-security.xml:

Property

Value

Description

Property

Value

Description

router.ssl.keystore.path

<filepath>

Keystore file location, either absolute or relative. The file should be owned and readable only by the CDAP user.

router.ssl.keystore.password

<password>

Keystore password

router.ssl.keystore.keypassword

<password>

Keystore key password

router.ssl.keystore.type

JKS

Keystore file type (default JKS)

Configuring SSL for the CDAP UI

To enable SSL for the CDAP UI, add these properties to cdap-security.xml:

Property

Value

Description

Property

Value

Description

dashboard.ssl.cert

<filepath>

SSL cert file location, either absolute or relative. The file should be owned and readable only by the CDAP user.

dashboard.ssl.key

<filepath>

SSL key file location, either absolute or relative. The file should be owned and readable only by the CDAP user.

Note: To enable SSL for the CDAP UI and allow self-signed certificates, add this property to cdap-site.xml:

Property

Value

Description

Property

Value

Description

dashboard.ssl.disable.cert.check

true

true to disable SSL certificate check from the CDAP UI.

Enabling Access Logging

To enable access logging, add the following to logback.xml (typically under /etc/cdap/conf/):

You may also configure the file being logged to by changing the path under <file>...</file>.

Created in 2020 by Google Inc.