Datanodes under Hadoop is traditionally secured by creating a Keytab file on the data nodes. With Ozone, we have moved away to using data node certificates. That is, Kerberos on data nodes is not needed in case of a secure Ozone cluster.
However, we support the legacy Kerberos based Authentication to make it easy for the current set of users.The HDFS configuration keys are the following that is setup in hdfs-site.xml.
| Property | Description |
|---|---|
| dfs.datanode.kerberos.principal | The datanode service principal. e.g. dn/_HOST@REALM.COM |
| dfs.datanode.keytab.file | The keytab file used by datanode daemon to login as its service principal. |
| hdds.datanode.http.kerberos.principal | Datanode http server service principal. |
| hdds.datanode.http.kerberos.keytab | The keytab file used by datanode http server to login as its service principal. |
Under Ozone, when a data node boots up and discovers SCM's address, the first thing that data node does is to create a private key and send a certificate request to the SCM.
Once a certificate is issued, a data node is secure and Ozone manager can issue block tokens. If there is no data node certificates or the SCM‘s root certificate is not present in the data node, then data node will register itself and down load the SCM’s root certificate as well get the certificates for itself.