Cask Data Application Platform (CDAP) supports securing clusters using various mechanisms such as Perimeter Security, Authorization, Impersonation, Enabling SSL for System Services, and Secure Storage. This section covers how to setup these security mechanisms on a secure CDAP instance.

Additional security information, including client APIs, the authentication process, developing authorization extensions, and authorization policies is covered in the Developers’ Manual Security section.

We recommend that in order for CDAP to be secure, CDAP security should always be used in conjunction with secure Hadoop clusters. In cases where secure Hadoop is not or cannot be used, it is inherently insecure and any applications running on the cluster are effectively "trusted”. Although there is still value in having perimeter security, authorization enforcement and secure storage in that situation, whenever possible a secure Hadoop cluster should be employed with CDAP security.

CDAP Security is configured in the files cdap-site.xml and cdap-security.xml:

  • cdap-site.xml has non-sensitive information, such as the type of authentication, authorization and secure storage mechanisms, and their configuration.
  • cdap-security.xml is used to store sensitive information such as keystore passwords and SSL certificate keys. It should be owned and readable only by the CDAP user.

These files are shown in Appendix: cdap-site.xml, cdap-default.xml and Appendix: cdap-security.xml.

File paths shown in this section are either absolute paths or, in the case of standalone CDAP, can be relative to the CDAP SDK installation directory.