Google Git
Sign in
apache / ozone-site / c517593cc2104ba3c485fd697836c10e1f6a2ace / . / docs / edge / zh / security / securingdatanodes.html
blob: 7f8500e169fd0ede606df94531c2990d76fdb00d [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Apache Ozone Documentation">
<title>Documentation for Apache Ozone</title>
<link href="../../css/bootstrap.min.css" rel="stylesheet">
<link href="../../css/ozonedoc.css" rel="stylesheet">
<link href="../../swagger-resources/swagger-ui.css" rel="stylesheet">
<script>
var _paq = window._paq = window._paq || [];
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '34']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#sidebar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="../../zh/index.html" class="navbar-left ozone-logo">
<img src="../../ozone-logo-small.png"/>
</a>
<a class="navbar-brand hidden-xs" href="../../zh/index.html">
Apache Ozone/HDDS Documentation
</a>
<a class="navbar-brand visible-xs-inline" href="#">Apache Ozone</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="https://github.com/apache/ozone">Source</a></li>
<li><a href="https://ozone.apache.org">Apache Ozone</a></li>
<li><a href="https://apache.org">ASF</a></li>
</ul>
</div>
</div>
</nav>
<div class="wrapper">
<div class="container-fluid">
<div class="row">
<div class="col-sm-2 col-md-2 sidebar" id="sidebar">
<ul class="nav nav-sidebar">
<li class="">
<a href="../../zh/index.html">
<span>概述</span>
</a>
</li>
<li class="">
<a href="../../zh/start.html">
<span>快速入门</span>
</a>
</li>
<li class="">
<a href="../../zh/concept.html">
<span>概念</span>
</a>
<ul class="nav">
<li class="">
<a href="../../zh/concept/overview.html">概览</a>
</li>
<li class="">
<a href="../../zh/concept/ozonemanager.html">Ozone Manager</a>
</li>
<li class="">
<a href="../../zh/concept/storagecontainermanager.html">Storage Container Manager</a>
</li>
<li class="">
<a href="../../zh/concept/datanodes.html">数据节点</a>
</li>
<li class="">
<a href="../../zh/concept/containers.html">Containers</a>
</li>
<li class="">
<a href="../../zh/concept/recon.html">Recon</a>
</li>
</ul>
</li>
<li class="">
<a href="../../zh/feature.html">
<span>特性</span>
</a>
<ul class="nav">
<li class="">
<a href="../../zh/feature/decommission.html">Decommissioning</a>
</li>
<li class="">
<a href="../../zh/feature/erasurecoding.html">纠删码</a>
</li>
<li class="">
<a href="../../zh/feature/om-ha.html">高可用 OM</a>
</li>
<li class="">
<a href="../../zh/feature/scm-ha.html">高可用 SCM</a>
</li>
<li class="">
<a href="../../zh/feature/dn-merge-rocksdb.html">在DataNode上合并Container的RocksDB</a>
</li>
<li class="">
<a href="../../zh/feature/prefixfso.html">基于前缀的文件系统优化</a>
</li>
<li class="">
<a href="../../zh/feature/topology.html">拓扑感知能力</a>
</li>
<li class="">
<a href="../../zh/feature/quota.html">Ozone 中的配额</a>
</li>
<li class="">
<a href="../../zh/feature/recon.html">Recon 服务器</a>
</li>
<li class="">
<a href="../../zh/feature/reconfigurability.html">动态加载配置</a>
</li>
</ul>
</li>
<li class="">
<a href="../../zh/security.html">
<span>安全</span>
</a>
<ul class="nav">
<li class="">
<a href="../../zh/security/secureozone.html">安全化 Ozone</a>
</li>
<li class="">
<a href="../../zh/security/securingtde.html">透明数据加密</a>
</li>
<li class="">
<a href="../../zh/security/gdpr.html">Ozone 中的 GDPR</a>
</li>
<li class="active">
<a href="../../zh/security/securingdatanodes.html">安全化 Datanode</a>
</li>
<li class="">
<a href="../../zh/security/securings3.html">安全化 S3</a>
</li>
<li class="">
<a href="../../zh/security/securityacls.html">Ozone 访问控制列表</a>
</li>
<li class="">
<a href="../../zh/security/securitywithranger.html">Apache Ranger</a>
</li>
</ul>
</li>
<li class="">
<a href="../../zh/interface.html">
<span>编程接口</span>
</a>
<ul class="nav">
<li class="">
<a href="../../zh/interface/javaapi.html">Java API</a>
</li>
<li class="">
<a href="../../zh/interface/o3fs.html">Ozone 文件系统</a>
</li>
<li class="">
<a href="../../zh/interface/csi.html">CSI 协议</a>
</li>
<li class="">
<a href="../../zh/interface/s3.html">S3 协议接口</a>
</li>
<li class="">
<a href="../../zh/interface/reconapi.html">Recon API</a>
</li>
</ul>
</li>
<li class="">
<a href="../../zh/tools.html">
<span>工具</span>
</a>
</li>
<li class="">
<a href="../../zh/recipe.html">
<span>使用配方</span>
</a>
</li>
<li><a href="../../design.html"><span><b>Design docs</b></span></a></li>
<li class="visible-xs"><a href="#">References</a>
<ul class="nav">
<li><a href="https://github.com/apache/ozone"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Source</a></li>
<li><a href="https://ozone.apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> Apache Ozone</a></li>
<li><a href="https://apache.org"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> ASF</a></li>
</ul></li>
</ul>
</div>
<div class="col-sm-10 col-sm-offset-2 col-md-10 col-md-offset-2 main-content">
<div class="col-md-9">
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="../../zh/index.html">Home</a></li>
<li class="breadcrumb-item" aria-current="page"><a href="../../zh/security.html">安全</a></li>
<li class="breadcrumb-item active" aria-current="page">安全化 Datanode</li>
</ol>
</nav>
<div class="pull-right">
<a href="../../security/securingdatanodes.html"><span class="label label-success">English</span></a>
</div>
<div class="col-md-9">
<h1>安全化 Datanode</h1>
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p>Hadoop 中 datanode 的安全机制是通过给每个节点创建 Keytab 文件实现的。Ozone 的 datanode 安全机制不依赖 Kerberos,而是改用 datanode 证书。</p>
<p>但是我们也支持传统的基于 Kerberos 的认证来方便现有用户,用户只需要在 hdfs-site.xml 里配置下面参数即可:</p>
<table>
<thead>
<tr>
<th>参数名</th>
<th>描述</th>
</tr>
</thead>
<tbody>
<tr>
<td>dfs.datanode.kerberos.principal</td>
<td>datanode 的服务主体名 <br/> 比如:dn/_<a href="mailto:HOST@REALM.COM">HOST@REALM.COM</a></td>
</tr>
<tr>
<td>dfs.datanode.kerberos.keytab.file</td>
<td>datanode 进程所使用的 keytab 文件</td>
</tr>
<tr>
<td>hdds.datanode.http.auth.kerberos.principal</td>
<td>datanode http 服务器的服务主体名</td>
</tr>
<tr>
<td>hdds.datanode.http.auth.kerberos.keytab</td>
<td>datanode http 服务器的服务主体登录所使用的 keytab 文件</td>
</tr>
</tbody>
</table>
<h2 id="如何安全化-datanode">如何安全化 datanode</h2>
<p>在 Ozone 中,当 datanode 启动并发现 SCM 的地址之后,datanode 首先创建私钥并向 SCM 发送证书请求。</p>
<h3>通过 Kerberos 颁发证书<span class="badge badge-secondary">当前模型</span></h3>
SCM 有一个内置的 CA 用来批准证书请求,如果 datanode 已经有一个 Kerberos keytab,SCM 会信任它并自动颁发一个证书。
<h3>手动颁发<span class="badge badge-primary">开发中</span></h3>
如果 datanode 是新加入的并且没有 keytab,那么证书请求需要等待管理员的批(手动批准功能尚未完全支持)。换句话说,信任关系链由集群管理员建立。
<h3>自动颁发 <span class="badge badge-secondary">开发中</span></h3>
如果你通过 Kubernetes 这样的容器编排软件运行 Ozone,Kubernetes 需要为 datanode 创建一次性 token,用于在启动阶段证明 datanode 容器的身份。(这个特性也正在开发中。)
<p>证书颁发后,datanode 的安全就得到了保障,并且 OM 可以颁发块 token。如果 datanode 没有证书或者 SCM 的根证书,datanode 会自动进行注册,下载 SCM 的根证书,并获取自己的证书。</p>
<a class="btn btn-success btn-lg" href="../../zh/security/securings3.html">Next >></a>
</div>
</div>
</div>
</div>
</div>
<div class="push"></div>
</div>
<footer class="footer">
<div class="container">
<span class="small text-muted">
Version: 1.5.0-SNAPSHOT, Last Modified: February 26, 2024 <a class="hide-child link primary-color" href="https://github.com/apache/ozone/commit/1b48186a0107711235abcd2636977ae0242f6be8">1b48186</a>
</span>
</div>
</footer>
<script src="../../js/jquery-3.5.1.min.js"></script>
<script src="../../js/ozonedoc.js"></script>
<script src="../../js/bootstrap.min.js"></script>
</body>
</html>