| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content="Hadoop Ozone Documentation"> |
| |
| <title>Documentation for Apache Hadoop Ozone</title> |
| |
| |
| <link href="../../css/bootstrap.min.css" rel="stylesheet"> |
| |
| |
| <link href="../../css/ozonedoc.css" rel="stylesheet"> |
| |
| </head> |
| |
| |
| <body> |
| |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container-fluid"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="#" class="navbar-left" style="height: 50px; padding: 5px 5px 5px 0;"> |
| <img src="../../ozone-logo-small.png" width="40"/> |
| </a> |
| <a class="navbar-brand hidden-xs" href="#"> |
| Apache Hadoop Ozone/HDDS documentation |
| </a> |
| <a class="navbar-brand visible-xs-inline" href="#">Hadoop Ozone</a> |
| </div> |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav navbar-right"> |
| <li><a href="https://github.com/apache/hadoop-ozone">Source</a></li> |
| <li><a href="https://hadoop.apache.org">Apache Hadoop</a></li> |
| <li><a href="https://apache.org">ASF</a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| |
| <div class="container-fluid"> |
| <div class="row"> |
| |
| <div class="col-sm-2 col-md-2 sidebar" id="sidebar"> |
| <ul class="nav nav-sidebar"> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/"> |
| |
| |
| |
| <span>概述</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/start.html"> |
| |
| |
| |
| <span>快速入门</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/interface.html"> |
| |
| |
| |
| <span>编程接口</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/feature.html"> |
| |
| |
| |
| <span>GDPR</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/security.html"> |
| |
| |
| |
| <span>安全</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/concept.html"> |
| |
| |
| |
| <span>概念</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/tools.html"> |
| |
| |
| |
| <span>工具</span> |
| </a> |
| </li> |
| |
| |
| |
| <li class=""> |
| |
| <a href="../../zh/recipe.html"> |
| |
| |
| |
| <span>使用配方</span> |
| </a> |
| </li> |
| |
| |
| <li><a href="../../design.html"><span><b>Design docs</b></span></a></li> |
| <li class="visible-xs"><a href="#">References</a> |
| <ul class="nav"> |
| <li><a href="https://github.com/apache/hadoop"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li> |
| <li><a href="https://hadoop.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Hadoop</a></li> |
| <li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li> |
| </ul></li> |
| </ul> |
| |
| </div> |
| |
| <div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main"> |
| |
| |
| |
| <div class="col-md-9"> |
| <nav aria-label="breadcrumb"> |
| <ol class="breadcrumb"> |
| <li class="breadcrumb-item"><a href="../../">Home</a></li> |
| <li class="breadcrumb-item" aria-current="page"><a href="../../zh/security.html">安全</a></li> |
| <li class="breadcrumb-item active" aria-current="page">安全化 Ozone</li> |
| </ol> |
| </nav> |
| |
| |
| |
| <div class="pull-right"> |
| |
| |
| <a href="../../security/secureozone.html"><span class="label label-success">English</span></a> |
| |
| |
| |
| |
| </div> |
| |
| |
| <div class="col-md-9"> |
| <h1>安全化 Ozone</h1> |
| |
| <!--- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <h1 id="kerberos">Kerberos</h1> |
| <p>Ozone 集群的安全依赖于 <a href="https://web.mit.edu/kerberos/">Kerberos</a>。过去 HDFS 支持在隔离的安全网络中运行,因此可以不进行安全化的集群部署。</p> |
| <p>Ozone 在这方面与 HDFS 保持一致,但不久之后将 <em>默认启用安全机制</em> 。目前,Ozone 集群启用安全机制需要将配置 <strong>ozone.security.enabled</strong> 设置为 <em>true</em> ,以及将 <strong>hadoop.security.authentication</strong> 设置为 <em>kerberos</em> 。</p> |
| <table> |
| <thead> |
| <tr> |
| <th>参数</th> |
| <th>值</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>ozone.security.enabled</td> |
| <td><em>true</em></td> |
| </tr> |
| <tr> |
| <td>hadoop.security.authentication</td> |
| <td><em>kerberos</em></td> |
| </tr> |
| </tbody> |
| </table> |
| <h1 id="tokens-">Tokens</h1> |
| <p>Ozone 使用 token 的方法来防止 Kerberos 服务器负载过重,当每秒处理上千个请求时,Kerberos 可能无法很好地工作。所以,每次当用户完成一次认证之后,Ozone 会向用户颁发代理 token 和块 token,应用程序可以使用这些 token 来对集群进行特定的操作,就像它们持有 kerberos 凭据一样,Ozone 支持以下类型的 token。</p> |
| <h3 id="代理-token-">代理 Token</h3> |
| <p>代理 token 允许应用模拟用户的 kerberos 凭据,它基于 kerberos 的身份认证,由 OM 颁发,当集群启用安全机制时,代理 token 功能默认启用。</p> |
| <h3 id="块-token-">块 Token</h3> |
| <p>用户通过块 token 来读写一个块,它的作用是让数据节点知道用户是否有对块进行读和修改的权限。</p> |
| <h3 id="s3authinfo-">S3AuthInfo</h3> |
| <p>S3 使用了一种不一样的共享秘密的安全机制,Ozone 支持 AWS Signature Version 4 协议,从用户的角度来看,Ozone 的 s3 感觉与 AWS S3 无异。</p> |
| <p>S3 token 功能在启用安全机制的情况下也默认开启。</p> |
| <p>Ozone 的每个服务进程都需要一个 Kerberos 服务主体名和对应的 [kerberos keytab](<a href="https://web.mit.edu/kerberos/krb5-latest/doc/basic">https://web.mit.edu/kerberos/krb5-latest/doc/basic</a> |
| /keytab_def.html) 文件。</p> |
| <p>ozone-site.xml 中应进行如下配置:</p> |
| <div class="card-group"> |
| <div class="card"> |
| <div class="card-body"> |
| <h3 class="card-title">Storage Container Manager</h3> |
| <p class="card-text"> |
| <br> |
| SCM 需要两个 Kerberos 主体,以及两个对应的 keytab 文件。 |
| <br> |
| <table class="table table-dark"> |
| <thead> |
| <tr> |
| <th scope="col">配置</th> |
| <th scope="col">描述</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>hdds.scm.kerberos.principal</th> |
| <td>SCM 服务主体,例如:scm/_HOST@REALM.COM</td> |
| </tr> |
| <tr> |
| <td>hdds.scm.kerberos.keytab.file</th> |
| <td>SCM 进程使用的 keytab 文件</td> |
| </tr> |
| <tr> |
| <td>hdds.scm.http.kerberos.principal</th> |
| <td>SCM http 服务主体</td> |
| </tr> |
| <tr> |
| <td>hdds.scm.http.kerberos.keytab</th> |
| <td>SCM http 服务使用的 keytab 文件</td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| </div> |
| <div class="card"> |
| <div class="card-body"> |
| <h3 class="card-title">Ozone Manager</h3> |
| <p class="card-text"> |
| <br> |
| 和 SCM 一样,OM 也需要两个 Kerberos 主体和对应的 keytab 文件。 |
| <br> |
| <table class="table table-dark"> |
| <thead> |
| <tr> |
| <th scope="col">配置</th> |
| <th scope="col">描述</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>ozone.om.kerberos.principal</th> |
| <td>OzoneManager 服务主体,例如:om/_HOST@REALM.COM</td> |
| </tr> |
| <tr> |
| <td>ozone.om.kerberos.keytab.file</th> |
| <td>OM 进程使用的 keytab 文件</td> |
| </tr> |
| <tr> |
| <td>ozone.om.http.kerberos.principal</th> |
| <td>OM http 服务主体</td> |
| </tr> |
| <tr> |
| <td>ozone.om.http.kerberos.keytab</th> |
| <td>OM http 服务使用的 keytab 文件</td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| </div> |
| <div class="card"> |
| <div class="card-body"> |
| <h3 class="card-title">S3 网关</h3> |
| <p class="card-text"> |
| <br> |
| S3 网关只需要一个服务主体,配置如下: |
| <br> |
| <table class="table table-dark"> |
| <thead> |
| <tr> |
| <th scope="col">配置</th> |
| <th scope="col">描述</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>ozone.s3g.authentication.kerberos.principal</th> |
| <td>S3 网关服务主体,例如:HTTP/_HOST@EXAMPLE.COM</td> |
| </tr> |
| <tr> |
| <td>ozone.s3g.keytab.file</th> |
| <td>S3 网关使用的 keytab 文件</td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| <a class="btn btn-success btn-lg" href="../../zh/security/securingtde.html">Next >></a> |
| |
| </div> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| |
| <script src="../../js/jquery-3.5.1.min.js"></script> |
| <script src="../../js/ozonedoc.js"></script> |
| <script src="../../js/bootstrap.min.js"></script> |
| |
| |
| </body> |
| |
| </html> |