| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content="Hadoop Ozone Documentation"> |
| |
| <title>Documentation for Apache Hadoop Ozone</title> |
| |
| |
| <link href="../css/bootstrap.min.css" rel="stylesheet"> |
| |
| |
| <link href="../css/ozonedoc.css" rel="stylesheet"> |
| |
| </head> |
| |
| |
| <body> |
| |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container-fluid"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="#" class="navbar-left" style="height: 50px; padding: 5px 5px 5px 0;"> |
| <img src="../ozone-logo-small.png" width="40"/> |
| </a> |
| <a class="navbar-brand hidden-xs" href="#"> |
| Apache Hadoop Ozone/HDDS documentation |
| </a> |
| <a class="navbar-brand visible-xs-inline" href="#">Hadoop Ozone</a> |
| </div> |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav navbar-right"> |
| <li><a href="https://github.com/apache/hadoop-ozone">Source</a></li> |
| <li><a href="https://hadoop.apache.org">Apache Hadoop</a></li> |
| <li><a href="https://apache.org">ASF</a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| |
| <div class="container-fluid"> |
| <div class="row"> |
| |
| <div class="col-sm-2 col-md-2 sidebar" id="sidebar"> |
| <ul class="nav nav-sidebar"> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../index.html"> |
| |
| |
| |
| <span>Overview</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../start.html"> |
| |
| |
| |
| <span>Getting Started</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../shell.html"> |
| |
| |
| |
| <span>Command Line Interface</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../interface.html"> |
| |
| |
| |
| <span>Programming Interfaces</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../gdpr.html"> |
| |
| |
| |
| <span>GDPR</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../security.html"> |
| |
| |
| |
| <span>Security</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../concept.html"> |
| |
| |
| |
| <span>Concepts</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../beyond.html"> |
| |
| |
| |
| <span>Beyond Basics</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../tools.html"> |
| |
| |
| |
| <span>Tools</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../recipe.html"> |
| |
| |
| |
| <span>Recipes</span> |
| </a> |
| </li> |
| |
| |
| <li class="visible-xs"><a href="#">References</a> |
| <ul class="nav"> |
| <li><a href="https://github.com/apache/hadoop"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li> |
| <li><a href="https://hadoop.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Hadoop</a></li> |
| <li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li> |
| </ul></li> |
| </ul> |
| |
| </div> |
| |
| <div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main"> |
| |
| |
| |
| <div class="col-md-9"> |
| <nav aria-label="breadcrumb"> |
| <ol class="breadcrumb"> |
| <li class="breadcrumb-item"><a href="../">Home</a></li> |
| <li class="breadcrumb-item" aria-current="page"><a href="../security.html">Security</a></li> |
| <li class="breadcrumb-item active" aria-current="page">Securing Ozone</li> |
| </ol> |
| </nav> |
| |
| |
| |
| <div class="pull-right"> |
| |
| |
| |
| </div> |
| |
| |
| <div class="col-md-9"> |
| <h1>Securing Ozone</h1> |
| |
| |
| |
| <!--- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <h1 id="kerberos">Kerberos</h1> |
| |
| <p>Ozone depends on <a href="https://web.mit.edu/kerberos/">Kerberos</a> to make the |
| clusters secure. Historically, HDFS has supported running in an isolated |
| secure networks where it is possible to deploy without securing the cluster.</p> |
| |
| <p>This release of Ozone follows that model, but soon will move to <em>secure by |
| default.</em> Today to enable security in ozone cluster, we need to set the |
| configuration <strong>ozone.security.enabled</strong> to <em>true</em> and <strong>hadoop.security.authentication</strong> |
| to <em>kerberos</em>.</p> |
| |
| <table> |
| <thead> |
| <tr> |
| <th>Property</th> |
| <th>Value</th> |
| </tr> |
| </thead> |
| |
| <tbody> |
| <tr> |
| <td>ozone.security.enabled</td> |
| <td><em>true</em></td> |
| </tr> |
| |
| <tr> |
| <td>hadoop.security.authentication</td> |
| <td><em>kerberos</em></td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <h1 id="tokens">Tokens</h1> |
| |
| <p>Ozone uses a notion of tokens to avoid overburdening the Kerberos server. |
| When you serve thousands of requests per second, involving Kerberos might not |
| work well. Hence once an authentication is done, Ozone issues delegation |
| tokens and block tokens to the clients. These tokens allow applications to do |
| specified operations against the cluster, as if they have kerberos tickets |
| with them. Ozone supports following kinds of tokens.</p> |
| |
| <h3 id="delegation-token">Delegation Token</h3> |
| |
| <p>Delegation tokens allow an application to impersonate a users kerberos |
| credentials. This token is based on verification of kerberos identity and is |
| issued by the Ozone Manager. Delegation tokens are enabled by default when |
| security is enabled.</p> |
| |
| <h3 id="block-token">Block Token</h3> |
| |
| <p>Block tokens allow a client to read or write a block. This is needed so that |
| data nodes know that the user/client has permission to read or make |
| modifications to the block.</p> |
| |
| <h3 id="s3authinfo">S3AuthInfo</h3> |
| |
| <p>S3 uses a very different shared secret security scheme. Ozone supports the AWS Signature Version 4 protocol, |
| and from the end users perspective Ozone’s S3 feels exactly like AWS S3.</p> |
| |
| <p>The S3 credential tokens are called S3 auth info in the code. These tokens are |
| also enabled by default when security is enabled.</p> |
| |
| <p>Each of the service daemons that make up Ozone needs a Kerberos service |
| principal name and a corresponding <a href="https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html">kerberos key tab</a> file.</p> |
| |
| <p>All these settings should be made in ozone-site.xml.</p> |
| |
| <div class="card-group"> |
| <div class="card"> |
| <div class="card-body"> |
| <h3 class="card-title">Storage Container Manager</h3> |
| <p class="card-text"> |
| <br> |
| SCM requires two Kerberos principals, and the corresponding key tab files |
| for both of these principals. |
| <br> |
| <table class="table table-dark"> |
| <thead> |
| <tr> |
| <th scope="col">Property</th> |
| <th scope="col">Description</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>hdds.scm.kerberos.principal</th> |
| <td>The SCM service principal. <br/> e.g. scm/_HOST@REALM.COM</td> |
| </tr> |
| <tr> |
| <td>hdds.scm.kerberos.keytab.file</th> |
| <td>The keytab file used by SCM daemon to login as its service principal.</td> |
| </tr> |
| <tr> |
| <td>hdds.scm.http.kerberos.principal</th> |
| <td>SCM http server service principal.</td> |
| </tr> |
| <tr> |
| <td>hdds.scm.http.kerberos.keytab</th> |
| <td>The keytab file used by SCM http server to login as its service principal.</td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| </div> |
| <div class="card"> |
| <div class="card-body"> |
| <h3 class="card-title">Ozone Manager</h3> |
| <p class="card-text"> |
| <br> |
| Like SCM, OM also requires two Kerberos principals, and the |
| corresponding key tab files for both of these principals. |
| <br> |
| <table class="table table-dark"> |
| <thead> |
| <tr> |
| <th scope="col">Property</th> |
| <th scope="col">Description</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>ozone.om.kerberos.principal</th> |
| <td>The OzoneManager service principal. <br/> e.g. om/_HOST@REALM.COM</td> |
| </tr> |
| <tr> |
| <td>ozone.om.kerberos.keytab.file</th> |
| <td>TThe keytab file used by SCM daemon to login as its service principal.</td> |
| </tr> |
| <tr> |
| <td>ozone.om.http.kerberos.principal</th> |
| <td>Ozone Manager http server service principal.</td> |
| </tr> |
| <tr> |
| <td>ozone.om.http.kerberos.keytab</th> |
| <td>The keytab file used by OM http server to login as its service principal.</td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| </div> |
| <div class="card"> |
| <div class="card-body"> |
| <h3 class="card-title">S3 Gateway</h3> |
| <p class="card-text"> |
| <br> |
| S3 gateway requires one service principal and here the configuration values |
| needed in the ozone-site.xml. |
| <br> |
| <table class="table table-dark"> |
| <thead> |
| <tr> |
| <th scope="col">Property</th> |
| <th scope="col">Description</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>ozone.s3g.authentication.kerberos.principal</th> |
| <td>S3 Gateway principal. <br/> e.g. HTTP/_HOST@EXAMPLE.COM</td> |
| </tr> |
| <tr> |
| <td>ozone.s3g.keytab.file</th> |
| <td>The keytab file used by S3 gateway</td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| <a class="btn btn-success btn-lg" href="../security/securingdatanodes.html">Next >></a> |
| |
| </div> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| |
| <script src="../js/jquery-3.4.1.min.js"></script> |
| <script src="../js/ozonedoc.js"></script> |
| <script src="../js/bootstrap.min.js"></script> |
| |
| |
| </body> |
| |
| </html> |