Skip to content

Commit

Permalink
Issue 3599: Part2 - Update documentation about security config parame…
Browse files Browse the repository at this point in the history 
…ters (pravega#3606)

* Updates security configuration parameters documentation
to reflect the latest set of parameters and improves the
description of parameters.

Signed-off-by: Ravi Sharda <[email protected]>
  • Loading branch information
@fpj
Ravi Sharda authored and fpj committed Apr 12, 2019
1 parent 918b188 commit 63f63aa
Showing 1 changed file with 63 additions and 43 deletions.
106 changes: 63 additions & 43 deletions documentation/src/docs/security/pravega-security-configurations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,46 +9,66 @@ You may obtain a copy of the License at
-->
# Pravega Security Configurations

The following is the list of configuration parameters for different Pravega components.

## Pravega Segment store <a name = "pravega-segment-store"></a>

|Parameter|Details|Default Value|
|---------|-------|-------------|
|pravegaservice.enableTls| Enable TLS on client to segment store connection.|False|
|pravegaservice.certFile|Certificate file used for TLS (public key)| Empty|
|pravegaservice.keyFile|Key file (Private key) used for TLS|Empty|
|autoScale.tlsEnabled| Enable TLS for internal communication between segment store and controller|False|
|autoScale.authEnabled|Enable authorization/authentication for internal communication between segment store and controller|False|
|autoScale.tlsCertFile|Certificate file used for encrypted internal communication between segment store and controller| Empty|
|autoScale.tokenSigningKey|Signing key used to sign the delegation token sent from controller to segment store| Empty|
|bookkeeper.tlsEnabled|Enable TLS for communication between segment store and Apache Bookkeeper| False|
|bookkeeper.tlsTrustStorePath| Truststore for TLS communication between segment store and Apache Bookkeeper| Empty |
|pravegaservice.secureZK|Enable TLS for communication between segment store and Apache Zookeeper| False|
|bookkeeper.zkTrustStore| Truststore for TLS communication between segment store and Apache Zookeeper| Empty |

## Pravega Controller <a name ="pravega-controller"></a>

|Parameter|Details|Default Value|
|---------|-------|-------------|
|config.controller.server.authorizationEnabled|Enable authorization/authentication| False|
|config.controller.server.tlsEnabled|Enable encrypted channel between Pravega client and controller|False|
|config.controller.server.tlsKeyFile|The key file (Private key) for communication between Pravega client and controller|Empty|
|config.controller.server.tlsCertFile|Public key certificate for communication between Pravega client and controller|Empty|
|config.controller.server.tokenSigningKey|Signing key used to sign the delegation token passed on to the segment store|Empty|
|config.controller.server.userPasswordFile|File containing user details for default _auth_ implementation for Pravega (similar to `/etc/passwd`)|Empty|
|config.controller.server.zk.secureConnectionToZooKeeper|Enable TLS for connection to Apache ZooKeeper| False|
|config.controller.server.zk.trustStorePath|Truststore for TLS communications with Apache ZooKeeper| False|

## Pravega Standalone
For ease of use Pravega standalone hides some of the configurations that are mentioned above. Below is the table containing relevant configurations for Pravega Standalone:

|Parameter|Details|Default Value|
|---------|-------|-------------|
|singlenode.enableTls|Enable TLS between all the components deployed within the singlenode| False|
|singlenode.enableAuth|Enable authentication/authorization between all the components within the singlenode |False|
|singlenode.certFile|If TLS is enabled, the public key certificate is used for internal communication between segment store and controller|Empty|
|singlenode.keyFile|If TLS is enabled, this represents the private key by all the server sockets| Empty|
|singlenode.passwdFile|If _auth_ is enabled, this represents the password file for the default _auth_ plugin implementation|Empty|
|singlenode.userName|If _auth_ is enabled, this represents the username used for internal communication between segment store and controller|Empty|
|singlenode.passwd|If _auth_ is enabled, this represents the password used for internal communication between segment store and controller|Empty|
This document describes the security configuration parameters of Pravega, in both **distributed** and **standalone** modes.

## Security Configuration Parameters in Distributed Mode

In the distributed mode, Controllers and Segment Stores are configured individually. The following sub-sections describe
their Transport Layer Security (TLS) and auth (short for authentication and authorization) parameters.


### Segment Store

|Parameter|Description|Default Value|Feature|
|---------|-------|-------------|------------|
| `pravegaservice.enableTls` | Whether to enable TLS for client-server communications. | False | TLS |
| `pravegaservice.certFile` | Path of the X.509 PEM-encoded server certificate file for the service. | Empty | TLS |
| `pravegaservice.keyFile` | Path of the PEM-encoded private key file for the service. | Empty | TLS |
| `pravegaservice.secureZK` | Whether to enable TLS for communication with Apache Zookeeper. | False | TLS |
| `pravegaservice.zkTrustStore` | Path of the truststore file in `.jks` format for TLS connections with Apache Zookeeer. | Empty | TLS |
| `pravegaservice.zkTrustStorePasswordPath` | Path of the file containing the password of the truststore used for TLS connections with Apache Zookeeper. | Empty | TLS |
| `autoScale.tlsEnabled` | Whether to enable TLS for internal communication with the Controllers. | False | TLS |
| `autoScale.tlsCertFile` | Path of the PEM-encoded X.509 certificate file used for TLS connections with the Controllers. | Empty | TLS |
| `autoScale.validateHostName` | Whether to enable hostname verification for TLS connections with the Controllers. | True | TLS |
| `autoScale.authEnabled` | Whether to enable authentication and authorization for internal communications with the Controllers. | False | Auth |
| `autoScale.tokenSigningKey` | The key used for signing the delegation tokens. | Empty | Auth |
| `bookkeeper.tlsEnabled` | Whether to enable TLS for communication with Apache Bookkeeper. | False | TLS |
| `bookkeeper.tlsTrustStorePath` | Path of the truststore file in `.jks` format for TLS connections with Apache Bookkeeper. | Empty | TLS |


### Controller

|Parameter|Details|Default Value|Feature|
|---------|-------|-------------|-------|
| `controller.auth.tlsEnabled` | Whether to enable TLS for client-server communication. | False | TLS |
| `controller.auth.tlsCertFile` | Path of the X.509 PEM-encoded server certificate file for the service. | Empty | TLS |
| `controller.auth.tlsKeyFile` | Path of the PEM-encoded private key file for the service. | Empty | TLS |
| `controller.auth.tlsTrustStore` | Path of the PEM-encoded truststore file for TLS connections with Segment Stores. | Empty | TLS |
| `controller.rest.tlsKeyStoreFile` | Path of the keystore file in `.jks` for the REST interface. | Empty | TLS |
| `controller.rest.tlsKeyStorePasswordFile` | Path of the file containing the keystore password for the REST interface. | Empty | TLS |
| `controller.zk.secureConnection` | Whether to enable TLS for communication with Apache Zookeeper| False | TLS |
| `controller.zk.tlsTrustStoreFile` | Path of the truststore file in `.jks` format for TLS connections with Apache Zookeeer. | Empty | TLS |
| `controller.zk.tlsTrustStorePasswordFile` | Path of the file containing the password of the truststore used for TLS connections with Apache Zookeeper. | Empty | TLS |
| `controller.auth.enabled` | Whether to enable authentication and authorization for clients. | False | Auth |
| `controller.auth.userPasswordFile` | Path of the file containing user credentials and ACLs, for the PasswordAuthHandler.| Empty | Auth |
| `controller.auth.tokenSigningKey` | Key used to sign the delegation tokens for Segment Stores. | Empty | Auth |


## Security Configurations in Standalone Mode

For ease of use, Pravega standalone mode abstracts away some of the configuration parameters of distributed mode. As a result, it has
fewer security configuration parameters to configure.


|Parameter|Details|Default Value|Feature|
|---------|-------|-------------|-------|
| `singlenode.enableTls` | Whether to enable TLS for client-server communications. | False | TLS |
| `singlenode.certFile` | Path of the X.509 PEM-encoded server certificate file for the server. |Empty| TLS |
| `singlenode.keyFile` | Path of the PEM-encoded private key file for the service. | Empty | TLS |
| `singlenode.keyStoreJKS` | Path of the keystore file in `.jks` for the REST interface. | Empty | TLS |
| `singlenode.keyStoreJKSPasswordFile` |Path of the file containing the keystore password for the REST interface. | Empty | TLS |
| `singlenode.trustStoreJKS` | Path of the truststore file for internal TLS connections. | Empty | TLS |
| `singlenode.enableAuth` | Whether to enable authentication and authorization for clients. |False| Auth |
| `singlenode.passwdFile` | Path of the file containing user credentials and ACLs, for the PasswordAuthHandler. |Empty| Auth |
| `singlenode.userName` | The default username used for internal communication between Segment Store and Controller. | Empty| Auth |
| `singlenode.passwd` | The default password used for internal communication between Segment Store and Controller. | Empty| Auth |

0 comments on commit 63f63aa

Please sign in to comment.