Cask Data Application Platform (CDAP) supports securing clusters using perimeter security. With perimeter security, cluster nodes can communicate with each other, but outside clients can only communicate with the cluster through a secured host.

Using CDAP security, the CDAP authentication server issues credentials (access tokens) to authenticated clients. Clients then send these credentials on requests to CDAP. Only calls with valid access tokens will be accepted, rejecting access to un-authenticated clients. In addition, access logging can be enabled in CDAP to provide an audit log of all operations.

Configuring Security

Security configuration is covered in the Administration Manual's Security.

Client Authentication

Client Authentication covers:

  • Authentication Process
  • Supported Authentication Mechanisms
  • Obtaining an Access Token
  • Authentication with RESTful Endpoints

Authentication Client Libraries

Two authentication client libraries are included with CDAP:

Custom Authentication

If the standard authentication mechanisms are not sufficient, you can provide a custom authentication mechanism.

Authorization Extensions

Authorization Extensions: Authorization backends for CDAP are implemented as extensions. Extensions run in their own, isolated classloader so that there are no conflicts with the system classloader of CDAP Master.


Impersonation allows users to run programs and access datasets, streams, and other resources as pre-configured users (a principal). Currently, CDAP supports configuring impersonation at a namespace and at an application level, with application level configuration having a higher precedence than namespace level.

If impersonation is enabled, and you don't specify a principal for an application, stream, or dataset, then the namespace owner's principal is used. If there is no namespace owner or you are using the default namespace, then the default principal is used (as set by the properties cdap.master.kerberos.keytab and cdap.master.kerberos.principal in the cdap-site.xml).

Details on the system configurations required are in the Administration Manual's section on Impersonation.