TLS, Authorization, Authentication - Enabling encryption, authorization and authentication features¶
Pravega ingests application data, which is often sensitive and requires security mechanisms to avoid unauthorized access. To prevent such unauthorized accesses in shared environments, we have enabled mechanisms in Pravega that secure stream data stored in a Pravega cluster. The security documentation covers aspects of our mechanisms and explains how to configure Pravega to enable security.
Following key features are added as part of security implementation:
- Pravega allows administrators to enable encryption for different communication channels using TLS.
- Pravega provides role Based access control which can be availed by a variety of enterprises.
- Pravega performs dynamic implementations of the Authorization/Authentication APIs. See here for more details. Multiple implementations can co-exist and different plugins can be used by different users.
- Multiple mechanisms are enabled by Pravega to the users for specifying auth parameters to the client. See here for more details.
- Components like Bookkeeper, Zookeeper etc., which are deployed with Pravega can be deployed securely with TLS.
PDP-23 discusses various options for this design and anlayzes the pros and cons in detail.