Pravega Security Configurations¶
This document describes the security configuration parameters of Pravega, in both distributed and standalone modes.
Security Configuration Parameters in Distributed Mode¶
In the distributed mode, Controllers and Segment Stores are configured via separate sets of parameters.
These parameters may be specified via configuration files or Java system properties. Alternatively, you may use environment variables to configure them.
The following sub-sections describe their Transport Layer Security (TLS) and auth (short for authentication and authorization) parameters.
Controller¶
| Parameter (Corresponding Environment Variable) | Details | Default Value | Feature |
|---|---|---|---|
controller.auth.tlsEnabled (TLS_ENABLED) |
Whether to enable TLS for client-server communication. | False | TLS |
controller.auth.segmentStoreTlsEnabled (TLS_ENABLED_FOR_SEGMENT_STORE) |
Whether to enable TLS for communications with Segment Store, even if TLS is disabled for the Controller. This is only useful in cases where the Controller has TLS disabled, but the Segment Store has it enabled. | False | TLS |
controller.auth.tlsCertFile (TLS_CERT_FILE) |
Path of the X.509 PEM-encoded server certificate file for the service. | Empty | TLS |
controller.auth.tlsKeyFile (TLS_KEY_FILE) |
Path of the PEM-encoded private key file for the service. | Empty | TLS |
controller.auth.tlsTrustStore (TLS_TRUST_STORE) |
Path of the PEM-encoded truststore file for TLS connections with Segment Stores. | Empty | TLS |
controller.rest.tlsKeyStoreFile (REST_KEYSTORE_FILE_PATH) |
Path of the keystore file in .jks for the REST interface. |
Empty | TLS |
controller.rest.tlsKeyStorePasswordFile (REST_KEYSTORE_PASSWORD_FILE_PATH) |
Path of the file containing the keystore password for the REST interface. | Empty | TLS |
controller.zk.secureConnection (SECURE_ZK) |
Whether to enable TLS for communication with Apache Zookeeper | False | TLS |
controller.zk.tlsTrustStoreFile (ZK_TRUSTSTORE_FILE_PATH) |
Path of the truststore file in .jks format for TLS connections with Apache Zookeeer. |
Empty | TLS |
controller.zk.tlsTrustStorePasswordFile (ZK_TRUSTSTORE_PASSWORD_FILE_PATH) |
Path of the file containing the password of the truststore used for TLS connections with Apache Zookeeper. | Empty | TLS |
controller.auth.enabled (AUTHORIZATION_ENABLED) |
Whether to enable authentication and authorization for clients. | False | Auth |
controller.auth.userPasswordFile (USER_PASSWORD_FILE) |
Path of the file containing user credentials and ACLs, for the PasswordAuthHandler. | Empty | Auth |
controller.auth.tokenSigningKey (TOKEN_SIGNING_KEY) |
Key used to sign the delegation tokens for Segment Stores. | Empty | Auth |
Segment Store¶
| Parameter (Corresponding Environment Variable | Description | Default Value | Feature |
|---|---|---|---|
pravegaservice.enableTls (ENABLE_TLS) |
Whether to enable TLS for client-server communications. | False | TLS |
pravegaservice.enableTlsReload (ENABLE_TLS_RELOAD) |
Whether to automatically reload SSL/TLS context if the server certificate is updated. | False | TLS |
pravegaservice.certFile (CERT_FILE) |
Path of the X.509 PEM-encoded server certificate file for the service. | Empty | TLS |
pravegaservice.keyFile (KEY_FILE) |
Path of the PEM-encoded private key file for the service. | Empty | TLS |
pravegaservice.secureZK (SECURE_ZK) |
Whether to enable TLS for communication with Apache Zookeeper. | False | TLS |
pravegaservice.zkTrustStore (ZK_TRUSTSTORE_LOCATION) |
Path of the truststore file in .jks format for TLS connections with Apache Zookeeer. |
Empty | TLS |
pravegaservice.zkTrustStorePasswordPath (ZK_TRUST_STORE_PASSWORD_PATH) |
Path of the file containing the password of the truststore used for TLS connections with Apache Zookeeper. | Empty | TLS |
autoScale.tlsEnabled (TLS_ENABLED) |
Whether to enable TLS for internal communication with the Controllers. | False | TLS |
autoScale.tlsCertFile (TLS_CERT_FILE) |
Path of the PEM-encoded X.509 certificate file used for TLS connections with the Controllers. | Empty | TLS |
autoScale.validateHostName (VALIDATE_HOSTNAME) |
Whether to enable hostname verification for TLS connections with the Controllers. | True | TLS |
autoScale.authEnabled (AUTH_ENABLED) |
Whether to enable authentication and authorization for internal communications with the Controllers. | False | Auth |
autoScale.tokenSigningKey (TOKEN_SIGNING_KEY) |
The key used for signing the delegation tokens. | Empty | Auth |
bookkeeper.tlsEnabled (BK_TLS_ENABLED) |
Whether to enable TLS for communication with Apache Bookkeeper. | False | TLS |
bookkeeper.tlsTrustStorePath (TLS_TRUST_STORE_PATH) |
Path of the truststore file in .jks format for TLS connections with Apache Bookkeeper. |
Empty | TLS |
pravega.client.auth.loadDynamic (pravega_client_auth_loadDynamic) |
Whether to load a credentials object dynamically from a class available in Classpath. | false | Auth |
pravega.client.auth.token (pravega_client_auth_method) |
The token to use by the Auto Scale Processor when communicating with Controller. | Empty | Auth |
pravega.client.auth.method (pravega_client_auth_token) |
The auth method to use by the Auto Scale Processor when communicating with Controller. |
Empty | Auth |
Security Configurations in Standalone Mode¶
For ease of use, Pravega standalone mode abstracts away some of the configuration parameters of distributed mode. As a result, it has fewer security configuration parameters to configure.
| Parameter | Details | Default Value | Feature |
|---|---|---|---|
singlenode.enableTls |
Whether to enable TLS for client-server communications. | False | TLS |
singlenode.certFile |
Path of the X.509 PEM-encoded server certificate file for the server. | Empty | TLS |
singlenode.keyFile |
Path of the PEM-encoded private key file for the service. | Empty | TLS |
singlenode.keyStoreJKS |
Path of the keystore file in .jks for the REST interface. |
Empty | TLS |
singlenode.keyStoreJKSPasswordFile |
Path of the file containing the keystore password for the REST interface. | Empty | TLS |
singlenode.trustStoreJKS |
Path of the truststore file for internal TLS connections. | Empty | TLS |
singlenode.enableAuth |
Whether to enable authentication and authorization for clients. | False | Auth |
singlenode.passwdFile |
Path of the file containing user credentials and ACLs, for the PasswordAuthHandler. | Empty | Auth |
singlenode.userName |
The default username used for internal communication between Segment Store and Controller. | Empty | Auth |
singlenode.passwd |
The default password used for internal communication between Segment Store and Controller. | Empty | Auth |
singlenode.segmentstoreEnableTlsReload |
Whether to automatically reload SSL/TLS context if the server certificate is updated. | False | TLS |