All Products
Search

This Product

    E-MapReduce:Configure permissions

    Document Center

    E-MapReduce:Configure permissions

    Last Updated:Mar 26, 2026

    E-MapReduce (EMR) supports three Alluxio security features: authentication, authorization, and audit logging. Authentication is always active. Authorization and audit logging are disabled by default and must be enabled separately.

    Feature Default What it does
    Authentication Enabled (SIMPLE) Verifies user identity before granting access
    Authorization Disabled Enforces POSIX-style file and directory permissions
    Audit logging Disabled Records all user access to file metadata

    Prerequisites

    Before you begin, ensure that you have:

    • An EMR Hadoop cluster with Alluxio selected as an optional service. See Create a cluster.

    Authentication

    Alluxio supports three authentication modes:

    Mode Authentication Description
    SIMPLE Enabled The client reads the OS login username and includes it in each request. The server uses this to identify the user. If alluxio.security.login.username is set on the client, that value overrides the OS username. When a client creates a file or directory, the username is stored in metadata.
    NOSASL Disabled The service ignores the client identity.
    CUSTOM Enabled Uses a custom authenticator class.

    SIMPLE is the default. To switch modes, update the authentication configuration and restart Alluxio. For the full configuration reference, see the Alluxio documentation.

    Enable authorization

    Alluxio authorization uses a permission model similar to POSIX: each file and directory has an owner, a group, and a permission mask. Alluxio allows or denies access based on the authenticated user identity.

    1. Go to the Alluxio service page.

      1. Log on to the Alibaba Cloud EMR console.

      2. In the top navigation bar, select the region where your cluster resides and select a resource group.

      3. Click the Cluster Management tab.

      4. Find your cluster and click Details in the Actions column.

      5. In the left-side navigation pane, choose Cluster Service > Alluxio.

    2. Click the Configure tab.

    3. In the Configuration Filter search box, enter alluxio.security.authorization.permission.enabled and click the Search icon.

    4. Set the parameter to TRUE.

      Authorization

    5. Click Save.

    6. In the Confirm Changes dialog box, enter a description and click OK.

    7. Restart the Alluxio service.

      1. In the upper-right corner, choose Actions > Restart All Components.

      2. In the Cluster Activities dialog box, enter a description and click OK.

      3. In the confirmation message, click OK.

    Enable audit logging

    Alluxio writes an audit log entry for every user access to file metadata. Entries are written to master_audit.log in /mnt/disk1/log/alluxio/.

    To enable audit logging:

    1. Go to the Alluxio service page.

      1. Log on to the Alibaba Cloud EMR console.

      2. In the top navigation bar, select the region where your cluster resides and select a resource group.

      3. Click the Cluster Management tab.

      4. Find your cluster and click Details in the Actions column.

      5. In the left-side navigation pane, choose Cluster Service > Alluxio.

    2. Click the Configure tab.

    3. In the Configuration Filter search box, enter alluxio.master.audit.logging.enabled and click the Search icon.

    4. Set the parameter to TRUE.

      Audit

    5. Click Save.

    6. In the Confirm Changes dialog box, enter a description and click OK.

    7. Restart the Alluxio service.

      1. In the upper-right corner, choose Actions > Restart All Components.

      2. In the Cluster Activities dialog box, enter a description and click OK.

      3. In the confirmation message, click OK.