Google Git
Sign in
apache / ozone-site / 5ca12508fcf9d9e0da9bf9b043a674f3285239a9 / . / docs / 1.0.0 / security / secureozone.html
blob: b25cffa677e9dd9f397deaa33c47a6463eedece3 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Hadoop Ozone Documentation">
<title>Documentation for Apache Hadoop Ozone</title>
<link href="../css/bootstrap.min.css" rel="stylesheet">
<link href="../css/ozonedoc.css" rel="stylesheet">
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="#" class="navbar-left" style="height: 50px; padding: 5px 5px 5px 0;">
<img src="../ozone-logo-small.png" width="40"/>
</a>
<a class="navbar-brand hidden-xs" href="#">
Apache Hadoop Ozone/HDDS documentation
</a>
<a class="navbar-brand visible-xs-inline" href="#">Hadoop Ozone</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="https://github.com/apache/hadoop-ozone">Source</a></li>
<li><a href="https://hadoop.apache.org">Apache Hadoop</a></li>
<li><a href="https://apache.org">ASF</a></li>
</ul>
</div>
</div>
</nav>
<div class="container-fluid">
<div class="row">
<div class="col-sm-2 col-md-2 sidebar" id="sidebar">
<ul class="nav nav-sidebar">
<li class="">
<a href="../index.html">
<span>Overview</span>
</a>
</li>
<li class="">
<a href="../start.html">
<span>Getting Started</span>
</a>
</li>
<li class="">
<a href="../concept.html">
<span>Architecture</span>
</a>
<ul class="nav">
<li class="">
<a href="../concept/overview.html">Overview</a>
</li>
<li class="">
<a href="../concept/ozonemanager.html">Ozone Manager</a>
</li>
<li class="">
<a href="../concept/storagecontainermanager.html">Storage Container Manager</a>
</li>
<li class="">
<a href="../concept/containers.html">Containers</a>
</li>
<li class="">
<a href="../concept/datanodes.html">Datanodes</a>
</li>
</ul>
</li>
<li class="">
<a href="../feature.html">
<span>Features</span>
</a>
<ul class="nav">
<li class="">
<a href="../feature/ha.html">High Availability</a>
</li>
<li class="">
<a href="../feature/topology.html">Topology awareness</a>
</li>
<li class="">
<a href="../feature/gdpr.html">GDPR in Ozone</a>
</li>
<li class="">
<a href="../feature/recon.html">Recon</a>
</li>
<li class="">
<a href="../feature/observability.html">Observability</a>
</li>
</ul>
</li>
<li class="">
<a href="../interface.html">
<span>Client Interfaces</span>
</a>
<ul class="nav">
<li class="">
<a href="../interface/ofs.html">Ofs (Hadoop compatible)</a>
</li>
<li class="">
<a href="../interface/o3fs.html">O3fs (Hadoop compatible)</a>
</li>
<li class="">
<a href="../interface/s3.html">S3 Protocol</a>
</li>
<li class="">
<a href="../interface/cli.html">Command Line Interface</a>
</li>
<li class="">
<a href="../interface/javaapi.html">Java API</a>
</li>
<li class="">
<a href="../interface/csi.html">CSI Protocol</a>
</li>
</ul>
</li>
<li class="">
<a href="../security.html">
<span>Security</span>
</a>
<ul class="nav">
<li class="active">
<a href="../security/secureozone.html">Securing Ozone</a>
</li>
<li class="">
<a href="../security/securingtde.html">Transparent Data Encryption</a>
</li>
<li class="">
<a href="../security/securingdatanodes.html">Securing Datanodes</a>
</li>
<li class="">
<a href="../security/securingozonehttp.html">Securing HTTP</a>
</li>
<li class="">
<a href="../security/securings3.html">Securing S3</a>
</li>
<li class="">
<a href="../security/securityacls.html">Ozone ACLs</a>
</li>
<li class="">
<a href="../security/securitywithranger.html">Apache Ranger</a>
</li>
</ul>
</li>
<li class="">
<a href="../tools.html">
<span>Tools</span>
</a>
</li>
<li class="">
<a href="../recipe.html">
<span>Recipes</span>
</a>
</li>
<li><a href="../design.html"><span><b>Design docs</b></span></a></li>
<li class="visible-xs"><a href="#">References</a>
<ul class="nav">
<li><a href="https://github.com/apache/hadoop"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li>
<li><a href="https://hadoop.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Hadoop</a></li>
<li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li>
</ul></li>
</ul>
</div>
<div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main">
<div class="col-md-9">
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="../">Home</a></li>
<li class="breadcrumb-item" aria-current="page"><a href="../security.html">Security</a></li>
<li class="breadcrumb-item active" aria-current="page">Securing Ozone</li>
</ol>
</nav>
<div class="pull-right">
<a href="../zh/security/secureozone.html"><span class="label label-success">中文</span></a>
</div>
<div class="col-md-9">
<h1>Securing Ozone</h1>
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<h1 id="kerberos">Kerberos</h1>
<p>Ozone depends on <a href="https://web.mit.edu/kerberos/">Kerberos</a> to make the
clusters secure. Historically, HDFS has supported running in an isolated
secure networks where it is possible to deploy without securing the cluster.</p>
<p>This release of Ozone follows that model, but soon will move to <em>secure by
default.</em> Today to enable security in ozone cluster, we need to set the
configuration <strong>ozone.security.enabled</strong> to <em>true</em> and <strong>hadoop.security.authentication</strong>
to <em>kerberos</em>.</p>
<table>
<thead>
<tr>
<th>Property</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>ozone.security.enabled</td>
<td><em>true</em></td>
</tr>
<tr>
<td>hadoop.security.authentication</td>
<td><em>kerberos</em></td>
</tr>
</tbody>
</table>
<h1 id="tokens-">Tokens</h1>
<p>Ozone uses a notion of tokens to avoid overburdening the Kerberos server.
When you serve thousands of requests per second, involving Kerberos might not
work well. Hence once an authentication is done, Ozone issues delegation
tokens and block tokens to the clients. These tokens allow applications to do
specified operations against the cluster, as if they have kerberos tickets
with them. Ozone supports following kinds of tokens.</p>
<h3 id="delegation-token-">Delegation Token</h3>
<p>Delegation tokens allow an application to impersonate a users kerberos
credentials. This token is based on verification of kerberos identity and is
issued by the Ozone Manager. Delegation tokens are enabled by default when
security is enabled.</p>
<h3 id="block-token-">Block Token</h3>
<p>Block tokens allow a client to read or write a block. This is needed so that
data nodes know that the user/client has permission to read or make
modifications to the block.</p>
<h3 id="s3authinfo-">S3AuthInfo</h3>
<p>S3 uses a very different shared secret security scheme. Ozone supports the AWS Signature Version 4 protocol,
and from the end users perspective Ozone&rsquo;s S3 feels exactly like AWS S3.</p>
<p>The S3 credential tokens are called S3 auth info in the code. These tokens are
also enabled by default when security is enabled.</p>
<p>Each of the service daemons that make up Ozone needs a Kerberos service
principal name and a corresponding <a href="https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html">kerberos key tab</a> file.</p>
<p>All these settings should be made in ozone-site.xml.</p>
<div class="card-group">
<div class="card">
<div class="card-body">
<h3 class="card-title">Storage Container Manager</h3>
<p class="card-text">
<br>
SCM requires two Kerberos principals, and the corresponding key tab files
for both of these principals.
<br>
<table class="table table-dark">
<thead>
<tr>
<th scope="col">Property</th>
<th scope="col">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>hdds.scm.kerberos.principal</th>
<td>The SCM service principal. <br/> e.g. scm/_HOST@REALM.COM</td>
</tr>
<tr>
<td>hdds.scm.kerberos.keytab.file</th>
<td>The keytab file used by SCM daemon to login as its service principal.</td>
</tr>
<tr>
<td>hdds.scm.http.auth.kerberos.principal</th>
<td>SCM http server service principal if SPNEGO is enabled for SCM http server.</td>
</tr>
<tr>
<td>hdds.scm.http.auth.kerberos.keytab</th>
<td>The keytab file used by SCM http server to login as its service principal if SPNEGO is enabled for SCM http server</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="card">
<div class="card-body">
<h3 class="card-title">Ozone Manager</h3>
<p class="card-text">
<br>
Like SCM, OM also requires two Kerberos principals, and the
corresponding key tab files for both of these principals.
<br>
<table class="table table-dark">
<thead>
<tr>
<th scope="col">Property</th>
<th scope="col">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>ozone.om.kerberos.principal</th>
<td>The OzoneManager service principal. <br/> e.g. om/_HOST@REALM.COM</td>
</tr>
<tr>
<td>ozone.om.kerberos.keytab.file</th>
<td>TThe keytab file used by SCM daemon to login as its service principal.</td>
</tr>
<tr>
<td>ozone.om.http.auth.kerberos.principal</th>
<td>Ozone Manager http server service principal if SPNEGO is enabled for om http server.</td>
</tr>
<tr>
<td>ozone.om.http.auth.kerberos.keytab</th>
<td>The keytab file used by OM http server to login as its service principal if SPNEGO is enabled for om http server.</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="card">
<div class="card-body">
<h3 class="card-title">S3 Gateway</h3>
<p class="card-text">
<br>
S3 gateway requires one service principal and here the configuration values
needed in the ozone-site.xml.
<br>
<table class="table table-dark">
<thead>
<tr>
<th scope="col">Property</th>
<th scope="col">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>ozone.s3g.http.auth.kerberos.principal</th>
<td>S3 Gateway principal if SPNEGO is enabled for S3 Gateway http server. <br/> e.g. HTTP/_HOST@EXAMPLE.COM</td>
</tr>
<tr>
<td>ozone.s3g.http.auth.kerberos.keytab</th>
<td>The keytab file used by S3 gateway if SPNEGO is enabled for S3 Gateway http server.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<a class="btn btn-success btn-lg" href="../security/securingtde.html">Next >></a>
</div>
</div>
</div>
</div>
</div>
<script src="../js/jquery-3.5.1.min.js"></script>
<script src="../js/ozonedoc.js"></script>
<script src="../js/bootstrap.min.js"></script>
</body>
</html>