Support for Authentication
Last updated: 2025-01-03 14:56:32
Authentication is not required when Alluxio users access data from COS, HDFS, or CHDFS in the existing unified namespace or access the data cached in Alluxio through Transparent-URI; that is, any user can get the data as long as they get the URI. In view of this, EMR-Alluxio improves authentication based on Ranger and COSRanger.
Note
To configure the authentication feature, make sure that the cluster is integrated with the following components:
If only HDFS is mounted to Alluxio, you need to integrate the Ranger component.
If COS and CHDFS are mounted to Alluxio, you need to integrate the COSRanger component.
Supported Versions
Supported service component version: Alluxio v2.8.0.
Product version: Hadoop 3.x Standard EMR v3.4.0.
Configuring Authentication
Prerequisite configuration
# Add the `ranger-hive-security.xml` configuration item in the Hive componentranger.plugin.hive.urlauth.filesystem.schemes==hdfs:,file:,wasb:,adl:,alluxio:# Add the `hive.properties` configuration item in the Presto componenthive.hdfs.authentication.type=NONEhive.metastore.authentication.type=NONEhive.hdfs.impersonation.enabled=truehive.metastore.thrift.impersonation.enabled=true
Note
The above prerequisite configuration items need to be configured based on the existing components in your cluster.
HDFS authentication
Create a soft link to the Ranger configuration file as follows:
[hadoop@172 conf]$ pwd/usr/local/service/alluxio/conf[hadoop@172 conf]$ ln -s /usr/local/service/hadoop/etc/hadoop/ranger-hdfs-audit.xmlranger-hdfs-audit.xml[hadoop@172 conf]$ ln -s /usr/local/service/hadoop/etc/hadoop/ranger-hdfs-security.xml ranger-hdfs-security.xml
Configure
alluxio-site.properties
We recommend you deliver the cluster configuration in the EMR console.# Authentication switch (`false` by default)alluxio.security.authorization.plugins.enabled=truealluxio.security.authorization.plugin.name=rangeralluxio.security.authorization.plugin.paths=/usr/local/service/alluxio/confalluxio.underfs.security.authorization.plugin.name=rangeralluxio.underfs.security.authorization.plugin.paths=/usr/local/service/alluxio/confalluxio.master.security.impersonation.hadoop.users=*alluxio.security.login.impersonation.username=_HDFS_USER_
Note
You need to restart the Alluxio service after the delivery is completed.
COS and CHDFS authentication
# Add the `core-site.xml` configuration itemfs.ofs.ranger.enable.flag=true
Configure
alluxio-site.properties
We recommend you deliver the cluster configuration in the EMR console.# Authentication switch (`false` by default)# Authentication switch (`false` by default)alluxio.security.authorization.plugins.enabled=truealluxio.security.authorization.plugin.name=rangeralluxio.security.authorization.plugin.paths=/usr/local/service/alluxio/confalluxio.underfs.security.authorization.plugin.name=rangeralluxio.underfs.security.authorization.plugin.paths=/usr/local/service/alluxio/confalluxio.cos.qcloud.object.storage.ranger.service.config.dir=/usr/local/service/cosranger/confalluxio.master.security.impersonation.hadoop.users=*alluxio.security.login.impersonation.username=_HDFS_USER_# The number of retries is 5 by default.alluxio.cos.qcloud.object.storage.permission.check.max.retry=5
Note
You need to restart the Alluxio service after the delivery is completed.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No