Enabling Perimeter Security
Follow the instructions below to enable perimeter security, either for CDAP Sandbox or Distributed CDAP. Client authentication, once security has been enabled, is described in Client Authentication.
Enabling Perimeter Security (CDAP Sandbox)
To enable security in CDAP Sandbox, add these properties to cdap-site.xml:
Property | Value | Description |
|---|---|---|
|
| Enables authentication for CDAP. When set to |
|
| Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers. |
|
| CDAP Authentication service announce URL's separated by comma. Each URL is in the format of These are the URL's that clients should use to communicate with the Authentication Server. Leave empty to use the default value generated by the Authentication Server. |
|
| IP address that the CDAP Authentication Server should bind to (default value shown). |
|
| CDAP Authentication service bind port (default value shown). |
Next, Client Authentication needs to be configured, as described in Configuring Authentication Mechanisms. With CDAP Sandbox, the simplest is basic authentication.
Enabling Perimeter Security (Distributed CDAP)
To enable security in Distributed CDAP, add these properties to cdap-site.xml:
Property | Value | Description |
|---|---|---|
|
| Enables authentication for CDAP. When set to |
|
| Determines the mode of authentication to use if security is enabled. Supported modes include MANAGED and PROXY. MANAGED mode supports a CDAP-managed authentication server and uses CDAP's access tokens to authenticate the user. PROXY mode assumes that authentication has already been performed upstream and instead extracts the user's identity and credentials from the configured headers. |
|
| CDAP Authentication service announce URL's separated by comma. Each URL is in the format of These are the URL's that clients should use to communicate with the Authentication Server. Leave empty to use the default value generated by the Authentication Server. |
|
| IP address that the CDAP Authentication Server should bind to (default value shown). |
|
| CDAP Authentication service bind port (default value shown). |
Configuring Kerberos (Optional)
To configure Kerberos authentication for various CDAP services, add these properties to cdap-site.xml:
Property | Value | Description |
|---|---|---|
|
|
|
|
| Kerberos keytab file path, either absolute or relative. |
|
| Kerberos principal associated with the keytab. |
Configuring ZooKeeper (Optional)
To configure ZooKeeper to enable SASL authentication, add the following to your zoo.cfg:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=trueThis will let ZooKeeper use the SASLAuthenticationProvider as an auth provider, and the jaasLoginRenew line will cause the ZooKeeper server to renew its Kerberos ticket once an hour.
Then, create a jaas.conf file for your ZooKeeper server:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/to/zookeeper.keytab"
storeKey=true
useTicketCache=false
principal="<your-zookeeper-principal>";
};The keytab file must be readable by the ZooKeeper server, and <your-zookeeper-principal> must correspond to the keytab file.
Finally, start ZooKeeper server with the following JVM option:
-Djava.security.auth.login.config=/path/to/jaas.confAccessing CDAP Services with SSL
To enable running the CDAP Router with SSL, add this property to cdap-site.xml:
Property | Value | Description |
|---|---|---|
|
|
|
Default Ports
Without SSL, unless set specifically, these properties have the following default values:
Property | Default Value | Description |
|---|---|---|
|
| Port number that the CDAP Router should bind to for HTTP Connections. |
|
| Port number that the CDAP Authentication Server should bind to for HTTP Connections. |
|
| Port number that the CDAP UI should bind to for HTTP Connections. |
With SSL, unless set specifically, these properties have the following default values:
Property | Default Value | Description |
|---|---|---|
|
| Port number that the CDAP router should bind to for HTTPS Connections. |
|
| Port number that the CDAP Authentication Server should bind to for HTTPS Connections. |
|
| Port number that the CDAP UI should bind to for HTTPS Connections. |
Configuring SSL for the Authentication Server
To configure the granting of AccessTokens via SSL, add these properties to cdap-security.xml:
Property | Value | Description |
|---|---|---|
|
| Keystore file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| Keystore password |
|
| Keystore key password |
|
| Keystore file type (default |
To configure client certificate based authentication via 2-way SSL, add these properties to cdap-site.xml:
Property | Value | Description |
|---|---|---|
|
| Truststore file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| Keystore password |
|
| Keystore file type (default |
Configuring SSL for the Router
To configure SSL for the Router, add these properties to cdap-security.xml:
Property | Value | Description |
|---|---|---|
|
| Keystore file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| Keystore password |
|
| Keystore key password |
|
| Keystore file type (default |
Configuring SSL for the CDAP UI
To enable SSL for the CDAP UI, add these properties to cdap-security.xml:
Property | Value | Description |
|---|---|---|
|
| SSL cert file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
|
| SSL key file location, either absolute or relative. The file should be owned and readable only by the CDAP user. |
Note: To enable SSL for the CDAP UI and allow self-signed certificates, add this property to cdap-site.xml:
Property | Value | Description |
|---|---|---|
|
|
|
Enabling Access Logging
To enable access logging, add the following to logback.xml (typically under /etc/cdap/conf/):
You may also configure the file being logged to by changing the path under <file>...</file>.
Created in 2020 by Google Inc.