This topic describes the authentication methods that are supported by Alluxio. This topic also describes how to enable the authorization and log audit features of Alluxio in E-MapReduce (EMR).
Prerequisites
An EMR Hadoop cluster is created, and Alluxio is selected from the optional services when you create the cluster. For more information, see Create a cluster.
Authentication
Authentication is to verify the identity information that is used by users to access resources.
Alluxio supports the following authentication methods: SIMPLE, NOSASL, and CUSTOM. By default, the SIMPLE authentication method is used. This facilitates log audit.
In the SIMPLE authentication method, when a client accesses Alluxio, the client obtains information about the logon user from the operating system that the client runs, constructs a request that contains the information, and then sends the request to the server. The server identifies the user identity based on the information. If you specify the alluxio.security.login.username parameter on the client, the parameter value serves as the information about the logon user. The client constructs a request that contains the information and sends the request to the server. If the client sends a request to the server to create a directory or a file, the information about the logon user is stored in metadata. You can change the authentication method based on your business requirements. After you change the authentication method, you must restart the Alluxio service for the configuration to take effect. For more information, see the Alluxio documentation.
Enable authorization
Authorization is to grant a user the permissions that are required to perform operations on files and directories. Alluxio provides a permission model that is similar to the POSIX permission model. Alluxio determines whether to allow or deny access requests from a user based on the user identity information that is used for authentication.
By default, authorization is disabled for Alluxio. To enable authorization, perform the following steps:
- Go to the Alluxio service page.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the left-side navigation pane of the Cluster Overview page, choose .
- On the Alluxio service page, click the Configure tab.
- Enable authorization.
- Restart the Alluxio service.
- In the upper-right corner of the Alluxio service page, choose .
- In the Cluster Activities dialog box, specify Description and click OK.
- In the Confirm message, click OK.
Enable log audit
Alluxio provides the log audit feature, which allows you to view and track user access to file metadata. The audit information is stored in the master_audit.log file in the /mnt/disk1/log/alluxio/ directory.
By default, log audit is disabled for Alluxio. To enable log audit, perform the following steps:
- Go to the Alluxio service page.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the left-side navigation pane of the Cluster Overview page, choose .
- On the Alluxio service page, click the Configure tab.
- Enable log audit.
- Restart the Alluxio service.
- In the upper-right corner of the Alluxio service page, choose .
- In the Cluster Activities dialog box, specify Description and click OK.
- In the Confirm message, click OK.