...
MANAGE- Can performputanddeleteoperationsREAD_ONLY- Can performlistandgetoperationsALL- Can perform all operations
Permission is enforced at per key level. For example, a user can only list or get keys that he has access to.
Implementations
SDK
The SecureStore and SecureStoreManager will be implemented using the standard JKS or JCEKS keystore to store the sensitive data. The keystore can be protected with a key in the CDAP master keystore, which CDAP already requires the user to provide in order to have SSL enabled. Since program will be executed in the same JVM as the SDK process, accessing to the sensitive data directly through the proper Guice binding that binds the SecureStore interface to the actual implementation.
...
On Hadoop cluster with KMS enabled, CDAP can provide an implementation of SecureStore and SecureStoreManager through the Hadoop KeyProvider API, assuming the cluster is configured to use KMS implementation of KeyProvider.
The CDAP master process will host the HTTPS server for providing the REST API support. The master process is also responsible for acquiring and refreshing the KMS delegation token when launch programs to be run on YARN.
Implementation of the SecureStore used by the program at runtime can be implemented by adapting calls to the underlying Hadoop KeyProvider, with an additional per key level permission check.
Hadoop without KMS
When KMS is not available, CDAP can provide an implementation of SecureStore with an architecture similar to KMS.
...