Pravega Security Configurations
This document describes the security configuration parameters of Pravega, in both distributed and standalone modes.
Table of Contents:
Security Configuration Parameters in Distributed Mode
In the distributed mode, Controllers and Segment Stores are configured via separate sets of parameters.
These parameters may be specified via configuration files or Java system properties. Alternatively, you may use environment variables to configure them.
The following sub-sections describe
their Transport Layer Security (TLS) and auth (short for authentication and authorization) parameters.
Controller TLS Configuration Parameters
- controller.security.tls.enable
| Property |
Value |
| Description: |
Whether to enable TLS for client-server communication. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
controller.auth.tlsEnabled (deprecated) |
- controller.security.tls.server.certificate.location
| Property |
Value |
| Description: |
Path of the PEM-encoded file that contains a TLS certificate to use for securing the server's gRPC interface. The TLS certificate contains the public key of the server. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/server/server1-cert.crt |
| Old name: |
controller.auth.tlsCertFile (deprecated) |
- controller.security.tls.server.privateKey.location
| Property |
Value |
| Description: |
Path of the PEM-encoded file that contains the private key associated with the server's public key bound in its TLS certificate. This file must be kept private and secured to avoid compromise of TLS security. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/server/server1-privateKey.key |
| Old name: |
controller.auth.tlsKeyFile (deprecated) |
- controller.security.tls.server.keyStore.location
| Property |
Value |
| Description: |
Path of the .jks file that contains the TLS material used for securing the Controller's REST interface. It contains the server's public key certificate and the associated pivate key, as well as the CA's certificate. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/server/server1-keystore.jks |
| Old name: |
controller.rest.tlsKeyStoreFile (deprecated) |
- controller.security.tls.server.keyStore.pwd.location
| Property |
Value |
| Description: |
Path of the file containing the password for the keystore specified via controller.security.tls.server.keyStore.location. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/server/server1-keystore.pwd |
| Old name: |
controller.rest.tlsKeyStorePasswordFile (deprecated) |
- controller.security.tls.trustStore.location
| Property |
Value |
| Description: |
Path of the PEM-encoded file that contains the certificates that the server should trust, when connecting to other services like Segment Store and instances. Typically, it contains the public key certificate of the CA that has signed the services' certificates. It may alternatively contain the service's certificates directly. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/truststore.crt |
| Old name: |
controller.auth.tlsTrustStore (deprecated) |
- controller.segmentstore.connect.channel.tls
| Property |
Value |
| Description: |
Whether to enable TLS for communications with Segment Store, even if TLS is disabled for the Controller. This is useful in cases where the Controller has TLS disabled, but the Segment Store has it enabled. |
| Type: |
string |
| Default: |
Same as that of controller.security.tls.enable |
| Valid values: |
{true, false, ``} |
| Old name: |
controller.auth.segmentStoreTlsEnabled (deprecated) |
- controller.zk.connect.security.enable
| Property |
Value |
| Description: |
Whether to enable security for communications with Apache Zookeeper. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
controller.zk.secureConnection (deprecated) |
- controller.zk.connect.security.tls.trustStore.location
| Property |
Value |
| Description: |
Path of the truststore file in .jks format for TLS connections with Apache Zookeeer. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/zookeeper.truststore.crt |
| Old name: |
controller.zk.tlsTrustStoreFile (deprecated) |
- controller.zk.connect.security.tls.trustStore.pwd.location
| Property |
Value |
| Description: |
Path of the file containing the password of the truststore specified via controller.zk.connect.security.tls.trustStore.location. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/zookeeper.truststore.pwd |
| Old name: |
controller.zk.tlsTrustStoreFile (deprecated) |
Controller Authentication and Authorization Configuration Parameters
- controller.security.auth.enable
| Property |
Value |
| Description: |
Whether to enable authentication and authorization (Auth) for clients. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
controller.auth.enabled (deprecated) |
- controller.security.auth.delegationToken.signingKey.basis
| Property |
Value |
| Description: |
String used to generate the key used for signing delegation tokens. |
| Type: |
string |
| Default: |
None |
| Sample value: |
super-secret-key |
| Old name: |
controller.auth.tokenSigningKey (deprecated) |
- controller.security.pwdAuthHandler.accountsDb.location
| Property |
Value |
| Description: |
Path of the file containing a listing of user accounts and their permissions. This file is used by the Password Auth Handler (the built-in Auth Handler implementation). |
| Type: |
string |
| Default: |
None |
| Sample value: |
`/path/to/accountsDB |
| Old name: |
`controller.auth.userPasswordFile (deprecated) |
Segment Store TLS Configuration Parameters
- pravegaservice.security.tls.enable
| Property |
Value |
| Description: |
Whether to enable TLS for client-server communication. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
pravegaservice.enableTls (deprecated) |
- pravegaservice.security.tls.certificate.autoReload.enable
| Property |
Value |
| Description: |
Whether to automatically reload SSL/TLS context if the server certificate file is updated. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
pravegaservice.enableTlsReload (deprecated) |
- pravegaservice.security.tls.server.certificate.location
| Property |
Value |
| Description: |
Path of the PEM-encoded file that contains a TLS certificate to use for securing the server's interface. The TLS certificate contains the public key of the server. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/server/server-cert.crt |
| Old name: |
pravegaservice.certFile (deprecated) |
- pravegaservice.security.tls.server.privateKey.location
| Property |
Value |
| Description: |
Path of the PEM-encoded file that contains the private key associated with the server's public key bound in its TLS certificate. This file must be kept private and secured to avoid compromise of TLS security. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/server/server-privateKey.key |
| Old name: |
pravegaservice.keyFile (deprecated) |
- autoScale.controller.connect.security.tls.enable
| Property |
Value |
| Description: |
Whether to enable TLS for internal communication with the Controllers. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
autoScale.tlsEnabled (deprecated) |
- autoScale.controller.connect.security.tls.truststore.location
| Property |
Value |
| Description: |
Path of the PEM-encoded file that contains the certificates that the server should trust, when connecting to other services like Controller and other instances. Typically, it contains the public key certificate of the CA that has signed the services' certificates. It may alternatively contain the service's certificates directly. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/truststore.crt |
| Old name: |
autoScale.tlsCertFile (deprecated) |
- autoScale.controller.connect.security.tls.validateHostName.enable
| Property |
Value |
| Description: |
Whether to enable hostname verification for TLS connections with the Controllers. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
autoScale.validateHostName (deprecated) |
- pravegaservice.zk.connect.security.enable
| Property |
Value |
| Description: |
Whether to enable security for communications with Apache Zookeeper instances. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
pravegaservice.secureZK (deprecated) |
- pravegaservice.zk.connect.security.tls.trustStore.location
| Property |
Value |
| Description: |
Path of the truststore file in .jks format for TLS connections with Apache Zookeeer instances. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/zookeeper.truststore.crt |
| Old name: |
pravegaservice.zkTrustStore (deprecated) |
- pravegaservice.zk.connect.security.tls.trustStore.pwd.location
| Property |
Value |
| Description: |
Path of the file containing the password of the truststore specified via pravegaservice.zk.connect.security.tls.trustStore.location. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/zookeeper.truststore.pwd |
| Old name: |
pravegaservice.zkTrustStorePasswordPath (deprecated) |
- pravegaservice.bookkeeper.connect.security.enable
| Property |
Value |
| Description: |
Whether to enable security for communications with Apache Bookkeeper instances. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
bookkeeper.tlsEnabled (deprecated) |
- bookkeeper.connect.security.tls.trustStore.location
| Property |
Value |
| Description: |
Path of the truststore file in .jks format for TLS connections with Apache Bookkeeper instances. |
| Type: |
string |
| Default: |
None |
| Sample value: |
/path/to/client/zookeeper.truststore.crt |
| Old name: |
bookkeeper.tlsTrustStorePath (deprecated) |
Segment Store Authentication and Authorization Configuration Parameters
- autoScale.controller.connect.security.auth.enable
| Property |
Value |
| Description: |
Whether to enable authentication and authorization (Auth) for internal communications with the Controllers. |
| Type: |
boolean |
| Default: |
false |
| Valid values: |
{true, false} |
| Old name: |
autoScale.authEnabled (deprecated) |
- autoScale.security.auth.token.signingKey.basis
| Property |
Value |
| Description: |
A string used to generate the key used for signing delegation tokens. This value must be the same that set in controller.security.auth.token.signingKey.basis for Controllers. |
| Type: |
string |
| Default: |
secret |
| Sample value: |
super-secret-key |
| Old name: |
autoScale.tokenSigningKey (deprecated) |
- pravega.client.auth.loadDynamic
| Property |
Value |
| Description: |
Whether to load a credentials object dynamically from a class available in Classpath, for the Auto Scale Processor's authentication to the Controller. |
| Type: |
boolean |
| Default: |
{true, false} |
| Sample value: |
super-secret-key |
| Alternative method: |
pravega_client_auth_loadDynamic (environment variable) |
- pravega.client.auth.method
| Property |
Value |
| Description: |
The auth method to use by the Auto Scale Processor when communicating with Controller. |
| Type: |
string |
| Default: |
None |
| Sample value: |
Basic |
| Alternative method: |
pravega_client_auth_token (environment variable) |
- pravega.client.auth.token
| Property |
Value |
| Description: |
The token to used by the Auto Scale Processor for its authentication to the Controller. The format of the token depends on the pravega.client.auth.method. For Basic authentication method, the value is a Base 64 encoded string of the input string <username>:<password>. |
| Type: |
string |
| Default: |
None |
| Sample value: |
YXV0b1NjYWxlclVzZXIxOnN1cGVyLXNlY3JldC1wYXNzd29yZA== (Base 64 encoded value of credentials in Basic format 'autoScalerUser1:super-secret-password') |
| Alternative method: |
pravega_client_auth_token (environment variable) |
Security Configurations in Standalone Mode
For ease of use, Pravega standalone mode abstracts away some of the configuration parameters of distributed mode. As a result, it has
fewer security configuration parameters to configure.
| Parameter |
Details |
Default |
Feature |
singlenode.security.tls.enable |
Whether to enable TLS for client-server communications. |
false |
TLS |
singlenode.security.tls.certificate.location |
Path of the X.509 PEM-encoded server certificate file for the server. |
None |
TLS |
singlenode.security.tls.privateKey.location |
Path of the PEM-encoded private key file for the service. |
None |
TLS |
singlenode.security.tls.keyStore.location |
Path of the keystore file in .jks for the REST interface. |
None |
TLS |
singlenode.security.tls.keyStore.pwd.location |
Path of the file containing the keystore password for the REST interface. |
None |
TLS |
singlenode.security.tls.trustStore.location |
Path of the truststore file for internal TLS connections. |
None |
TLS |
singlenode.security.auth.enable |
Whether to enable authentication and authorization for clients. |
false |
Auth |
singlenode.security.auth.credentials.username |
The default username used for internal communication between Segment Store and Controller. |
None |
Auth |
singlenode.security.auth.credentials.pwd |
The default password used for internal communication between Segment Store and Controller. |
None |
Auth |
singlenode.security.auth.pwdAuthHandler.accountsDb.location |
Path of the file containing user credentials and ACLs, for the PasswordAuthHandler. |
None |
Auth |
singlenode.segmentStore.tls.certificate.autoReload.enable |
Whether to automatically reload SSL/TLS context if the server certificate is updated. |
false |
TLS |