Security on Alluxio in Kubernetes
This doc demonstrates how to set up Alluxio to integrate with different security components on Kubernetes.
Security Server
To start Alluxio Security Server, add a security section in your config.yaml
file:
security:
enabled: true
Since TLS is always required by the security server, next section we will show how to configure TLS for Alluxio to secure the communication between different components.
TLS
Alluxio supports encryption of the network communication between services with TLS. Refer here for more information about the general usage of TLS.
Enabling TLS on Alluxio in Kubernetes is to some extent different from bare metal machines because of the nature of kubernetes that pods, where the services run, are ephemeral. Since the keystore needs to include the IP address or DNS of the server but a restarted pod doesn’t keep the old IP/DNS, we have to leverage the Kubernetes Service to ensure the restarted pod is reachable/ can reach other components of the system.
To enable TLS encryption on Alluxio network traffic on Kubernetes, follow the steps below:
1. Generate keypair
Use keytool
to generate a keystore/truststore pair, as described in here
and here
Note: the generated keystore needs to contain the ip/hostname of all Alluxio masters/workers, otherwise the verification would fail.
The hostnames of Alluxio master pods follow the pattern alluxio-master-x
, where x ranges from 0 to # of master pods-1.
The hostnames of Alluxio worker pods follow the pattern alluxio-worker-x
, where x ranges from 0 to # of worker pods-1.
Therefore, you may need to append the SAN (Subject Alternative Name) extension to the keystore generation command. For example,
$ keytool -genkeypair ... -ext "SAN=DNS:alluxio-master-0,DNS:alluxio-worker-0,DNS:alluxio-worker-1,DNS:alluxio-worker-2"
2. Add keypair to the system
Move the keystore and truststore files inside your helm chart directory that you downloaded. Put them into directory
./security-conf-files
.
3. Configure Alluxio
In your config.yaml
configuration file, in the security
section, add a few properties. For example:
security:
enabled: true
properties:
alluxio.security_server.jwks.address: http://alluxio-master-0:19994/security/jwks.json
alluxio.network.tls.enabled: true
alluxio.network.tls.keystore.path: /opt/alluxio/conf/security/keystore.jks
alluxio.network.tls.keystore.alias: key
alluxio.network.tls.keystore.password: changeme123
alluxio.network.tls.keystore.key.password: changeme123
alluxio.network.tls.truststore.alias: key
alluxio.network.tls.truststore.path: /opt/alluxio/conf/security/truststore.jks
alluxio.network.tls.truststore.password: changeme123
Authorization
Ranger enables administrator to centralize permission management for various resources. Alluxio supports using Ranger to manage and enforce access to directories and files.
Enable Authorization
To enable user authorization, please configure the follow properties:
security:
properties:
alluxio.security.authorization.plugins.enabled: true
alluxio.security.authorization.permission.enabled: true
In addition, Ranger plugin needs to be configured separately. Details can be found in Set up Ranger for Authorization but the following demonstrates a set of example configurations:
security:
properties:
alluxio.security.authorization.plugin.name: ranger-hdp-2.5
alluxio.security.authorization.plugin.paths: /opt/alluxio/conf/security
alluxio.master.mount.table.root.option.alluxio.underfs.security.authorization.plugin.name: ranger-2.1
alluxio.master.mount.table.root.option.alluxio.underfs.security.authorization.plugin.path: /opt/alluxio/conf/security