This topic describes the authentication methods that are supported by Alluxio. This topic also describes how to enable the authorization and log audit features of Alluxio in E-MapReduce (EMR).

Prerequisites

An EMR Hadoop cluster is created, and Alluxio is selected from the optional services when you create the cluster. For more information, see Create a cluster.

Authentication

Authentication is to verify the identity information that is used by users to access resources.

Alluxio supports the following authentication methods: SIMPLE, NOSASL, and CUSTOM. By default, the SIMPLE authentication method is used. This facilitates log audit.

In the SIMPLE authentication method, when a client accesses Alluxio, the client obtains information about the logon user from the operating system that the client runs, constructs a request that contains the information, and then sends the request to the server. The server identifies the user identity based on the information. If you specify the alluxio.security.login.username parameter on the client, the parameter value serves as the information about the logon user. The client constructs a request that contains the information and sends the request to the server. If the client sends a request to the server to create a directory or a file, the information about the logon user is stored in metadata. You can change the authentication method based on your business requirements. After you change the authentication method, you must restart the Alluxio service for the configuration to take effect. For more information, see the Alluxio documentation.

Enable authorization

Authorization is to grant a user the permissions that are required to perform operations on files and directories. Alluxio provides a permission model that is similar to the POSIX permission model. Alluxio determines whether to allow or deny access requests from a user based on the user identity information that is used for authentication.

By default, authorization is disabled for Alluxio. To enable authorization, perform the following steps:

  1. Go to the Alluxio service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane of the Cluster Overview page, choose Cluster Service > Alluxio.
  2. On the Alluxio service page, click the Configure tab.
  3. Enable authorization.
    1. In the Configuration Filter section, enter alluxio.security.authorization.permission.enabled in the search box and click the Search icon to search for this parameter.
    2. Set the alluxio.security.authorization.permission.enabled parameter to TRUE.
      Authorization
    3. Click Save.
    4. In the Confirm Changes dialog box, specify Description and click OK.
  4. Restart the Alluxio service.
    1. In the upper-right corner of the Alluxio service page, choose Actions > Restart All Components.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.

Enable log audit

Alluxio provides the log audit feature, which allows you to view and track user access to file metadata. The audit information is stored in the master_audit.log file in the /mnt/disk1/log/alluxio/ directory.

By default, log audit is disabled for Alluxio. To enable log audit, perform the following steps:

  1. Go to the Alluxio service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane of the Cluster Overview page, choose Cluster Service > Alluxio.
  2. On the Alluxio service page, click the Configure tab.
  3. Enable log audit.
    1. In the Configuration Filter section, enter alluxio.master.audit.logging.enabled in the search box and click the Search icon to search for this parameter.
    2. Set the alluxio.master.audit.logging.enabled parameter to TRUE.
      Audit
    3. Click Save.
    4. In the Confirm Changes dialog box, specify Description and click OK.
  4. Restart the Alluxio service.
    1. In the upper-right corner of the Alluxio service page, choose Actions > Restart All Components.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.