---

title: “Setup secure ozone cluster” date: “2019-April-03” menu: main: parent: Architecture weight: 11

Setup secure ozone cluster

To enable security in ozone cluster ozone.security.enabled should be set to true.

Property	Value
ozone.security.enabled	true

Kerberos

Configuration for service daemons:

Property	Description
hdds.scm.kerberos.principal	The SCM service principal. Ex scm/HOST@REALM.COM
hdds.scm.kerberos.keytab.file	The keytab file used by SCM daemon to login as its service principal.
ozone.om.kerberos.principal	The OzoneManager service principal. Ex om/_HOST@REALM.COM
ozone.om.kerberos.keytab.file	The keytab file used by SCM daemon to login as its service principal.
hdds.scm.http.kerberos.principal	SCM http server service principal.
hdds.scm.http.kerberos.keytab.file	The keytab file used by SCM http server to login as its service principal.
ozone.om.http.kerberos.principal	OzoneManager http server principal.
ozone.om.http.kerberos.keytab.file	The keytab file used by OM http server to login as its service principal.
ozone.s3g.keytab.file	The keytab file used by S3 gateway. Ex /etc/security/keytabs/HTTP.keytab
ozone.s3g.authentication.kerberos.principal	S3 Gateway principal. Ex HTTP/_HOST@EXAMPLE.COM

Tokens

Delegation token

Delegation tokens are enabled by default when security is enabled.

Block Tokens

Property	Value
hdds.block.token.enabled	true

S3Token

S3 token are enabled by default when security is enabled. To use S3 tokens users need to perform following steps:

• S3 clients should get the secret access id and user secret from OzoneManager.

ozone s3 getsecret

• Setup secret in aws configs:

aws configure set default.s3.signature_version s3v4
aws configure set aws_access_key_id ${accessId}
aws configure set aws_secret_access_key ${secret}
aws configure set region us-west-1

Certificates

Certificates are used internally inside Ozone. Its enabled be default when security is enabled.

Authorization

Default access authorizer for Ozone approves every request. It is not suitable for production environments. It is recommended that clients use ranger plugin for Ozone to manage authorizations.

Property	Value
ozone.acl.enabled	true
ozone.acl.authorizer.class	org.apache.ranger.authorization.ozone.authorizer.RangerOzoneAuthorizer

TDE

To use TDE clients must set KMS URI.

Property	Value
hadoop.security.key.provider.path	KMS uri. Ex kms://http@kms-host:9600/kms