| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content="Hadoop Ozone Documentation"> |
| |
| <title>Documentation for Apache Hadoop Ozone</title> |
| |
| |
| <link href="../css/bootstrap.min.css" rel="stylesheet"> |
| |
| |
| <link href="../css/ozonedoc.css" rel="stylesheet"> |
| |
| </head> |
| |
| |
| <body> |
| |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container-fluid"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="#" class="navbar-left" style="height: 50px; padding: 5px 5px 5px 0;"> |
| <img src="../ozone-logo-small.png" width="40"/> |
| </a> |
| <a class="navbar-brand hidden-xs" href="#"> |
| Apache Hadoop Ozone/HDDS documentation |
| </a> |
| <a class="navbar-brand visible-xs-inline" href="#">Hadoop Ozone</a> |
| </div> |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav navbar-right"> |
| <li><a href="https://github.com/apache/hadoop-ozone">Source</a></li> |
| <li><a href="https://hadoop.apache.org">Apache Hadoop</a></li> |
| <li><a href="https://apache.org">ASF</a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| |
| <div class="container-fluid"> |
| <div class="row"> |
| |
| <div class="col-sm-2 col-md-2 sidebar" id="sidebar"> |
| <ul class="nav nav-sidebar"> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../index.html"> |
| |
| |
| |
| <span>Overview</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../start.html"> |
| |
| |
| |
| <span>Getting Started</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../shell.html"> |
| |
| |
| |
| <span>Command Line Interface</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../interface.html"> |
| |
| |
| |
| <span>Programming Interfaces</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../gdpr.html"> |
| |
| |
| |
| <span>GDPR</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../security.html"> |
| |
| |
| |
| <span>Security</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../concept.html"> |
| |
| |
| |
| <span>Concepts</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../beyond.html"> |
| |
| |
| |
| <span>Beyond Basics</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../tools.html"> |
| |
| |
| |
| <span>Tools</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../recipe.html"> |
| |
| |
| |
| <span>Recipes</span> |
| </a> |
| </li> |
| |
| |
| <li class="visible-xs"><a href="#">References</a> |
| <ul class="nav"> |
| <li><a href="https://github.com/apache/hadoop"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li> |
| <li><a href="https://hadoop.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Hadoop</a></li> |
| <li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li> |
| </ul></li> |
| </ul> |
| |
| </div> |
| |
| <div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main"> |
| |
| |
| |
| <div class="col-md-9"> |
| <nav aria-label="breadcrumb"> |
| <ol class="breadcrumb"> |
| <li class="breadcrumb-item"><a href="../">Home</a></li> |
| <li class="breadcrumb-item" aria-current="page"><a href="../security.html">Security</a></li> |
| <li class="breadcrumb-item active" aria-current="page">Securing Datanodes</li> |
| </ol> |
| </nav> |
| |
| |
| |
| <div class="pull-right"> |
| |
| |
| |
| </div> |
| |
| |
| <div class="col-md-9"> |
| <h1>Securing Datanodes</h1> |
| |
| |
| |
| <!--- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <p>Datanodes under Hadoop is traditionally secured by creating a Keytab file on |
| the data nodes. With Ozone, we have moved away to using data node |
| certificates. That is, Kerberos on data nodes is not needed in case of a |
| secure Ozone cluster.</p> |
| |
| <p>However, we support the legacy Kerberos based Authentication to make it easy |
| for the current set of users.The HDFS configuration keys are the following |
| that is setup in hdfs-site.xml.</p> |
| |
| <table> |
| <thead> |
| <tr> |
| <th>Property</th> |
| <th>Description</th> |
| </tr> |
| </thead> |
| |
| <tbody> |
| <tr> |
| <td>dfs.datanode.kerberos.principal</td> |
| <td>The datanode service principal. <br/> e.g. dn/_HOST@REALM.COM</td> |
| </tr> |
| |
| <tr> |
| <td>dfs.datanode.keytab.file</td> |
| <td>The keytab file used by datanode daemon to login as its service principal.</td> |
| </tr> |
| |
| <tr> |
| <td>hdds.datanode.http.kerberos.principal</td> |
| <td>Datanode http server service principal.</td> |
| </tr> |
| |
| <tr> |
| <td>hdds.datanode.http.kerberos.keytab</td> |
| <td>The keytab file used by datanode http server to login as its service principal.</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <h2 id="how-a-data-node-becomes-secure">How a data node becomes secure.</h2> |
| |
| <p>Under Ozone, when a data node boots up and discovers SCM’s address, the first |
| thing that data node does is to create a private key and send a certificate |
| request to the SCM.</p> |
| |
| <p><h3>Certificate Approval via Kerberos <span class="badge badge-secondary">Current Model</span></h3> |
| SCM has a built-in CA, and SCM has to approve this request. If the data node |
| already has a Kerberos key tab, then SCM will trust Kerberos credentials and |
| issue a certificate automatically.</p> |
| |
| <p><h3>Manual Approval <span class="badge badge-primary">In Progress</span></h3> |
| If these are band new data nodes and Kerberos key tabs are not present at the |
| data nodes, then this request for the data nodes identity certificate is |
| queued up for approval from the administrator(This is work in progress, |
| not committed in Ozone yet). In other words, the web of trust is established |
| by the administrator of the cluster.</p> |
| |
| <p><h3>Automatic Approval <span class="badge badge-secondary">In Progress</span></h3> |
| If you running under an container orchestrator like Kubernetes, we rely on |
| Kubernetes to create a one-time token that will be given to data node during |
| boot time to prove the identity of the data node container (This is also work |
| in progress.)</p> |
| |
| <p>Once a certificate is issued, a data node is secure and Ozone manager can |
| issue block tokens. If there is no data node certificates or the SCM’s root |
| certificate is not present in the data node, then data node will register |
| itself and down load the SCM’s root certificate as well get the certificates |
| for itself.</p> |
| |
| |
| |
| <a class="btn btn-success btn-lg" href="../security/securingtde.html">Next >></a> |
| |
| </div> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| |
| <script src="../js/jquery-3.4.1.min.js"></script> |
| <script src="../js/ozonedoc.js"></script> |
| <script src="../js/bootstrap.min.js"></script> |
| |
| |
| </body> |
| |
| </html> |