Security on Alluxio in Kubernetes

Slack Docker Pulls

This doc demonstrates how to set up Alluxio to integrate with different security components on Kubernetes.

Security Server

To start Alluxio Security Server, add a security section in your config.yaml file:

security:
  enabled: true

Since TLS is always required by the security server, next section we will show how to configure TLS for Alluxio to secure the communication between different components.

TLS

Alluxio supports encryption of the network communication between services with TLS. Refer here for more information about the general usage of TLS.

Enabling TLS on Alluxio in Kubernetes is to some extent different from bare metal machines because of the nature of kubernetes that pods, where the services run, are ephemeral. Since the keystore needs to include the IP address or DNS of the server but a restarted pod doesn’t keep the old IP/DNS, we have to leverage the Kubernetes Service to ensure the restarted pod is reachable/ can reach other components of the system.

To enable TLS encryption on Alluxio network traffic on Kubernetes, follow the steps below:

1. Generate keypair

Use keytool to generate a keystore/truststore pair, as described in here and here Note: the generated keystore needs to contain the ip/hostname of all Alluxio masters/workers, otherwise the verification would fail.

The hostnames of Alluxio master pods follow the pattern alluxio-master-x, where x ranges from 0 to # of master pods-1. The hostnames of Alluxio worker pods follow the pattern alluxio-worker-x, where x ranges from 0 to # of worker pods-1.

Therefore, you may need to append the SAN (Subject Alternative Name) extension to the keystore generation command. For example,

$ keytool -genkeypair ... -ext "SAN=DNS:alluxio-master-0,DNS:alluxio-worker-0,DNS:alluxio-worker-1,DNS:alluxio-worker-2"

2. Add keypair to the system

Move the keystore and truststore files inside your helm chart directory that you downloaded. Put them into directory ./security-conf-files.

3. Configure Alluxio

In your config.yaml configuration file, in the security section, add a few properties. For example:

security:
  enabled: true
  properties:
    alluxio.security_server.jwks.address: http://alluxio-master-0:19994/security/jwks.json
    alluxio.network.tls.enabled: true
    alluxio.network.tls.keystore.path: /opt/alluxio/conf/security/keystore.jks
    alluxio.network.tls.keystore.alias: key
    alluxio.network.tls.keystore.password: changeme123
    alluxio.network.tls.keystore.key.password: changeme123
    alluxio.network.tls.truststore.alias: key
    alluxio.network.tls.truststore.path: /opt/alluxio/conf/security/truststore.jks
    alluxio.network.tls.truststore.password: changeme123

Authorization

Ranger enables administrator to centralize permission management for various resources. Alluxio supports using Ranger to manage and enforce access to directories and files.

Enable Authorization

To enable user authorization, please configure the follow properties:

security:
  properties:
    alluxio.security.authorization.plugins.enabled: true
    alluxio.security.authorization.permission.enabled: true

In addition, Ranger plugin needs to be configured separately. Details can be found in Set up Ranger for Authorization but the following demonstrates a set of example configurations:

security:
  properties:
    alluxio.security.authorization.plugin.name: ranger-hdp-2.5
    alluxio.security.authorization.plugin.paths: /opt/alluxio/conf/security
    alluxio.master.mount.table.root.option.alluxio.underfs.security.authorization.plugin.name: ranger-2.1
    alluxio.master.mount.table.root.option.alluxio.underfs.security.authorization.plugin.path: /opt/alluxio/conf/security