Securing Ozone
Kerberos
Ozone depends on Kerberos to make the clusters secure. Historically, HDFS has supported running in an isolated secure networks where it is possible to deploy without securing the cluster.
This release of Ozone follows that model, but soon will move to secure by default. Today to enable security in ozone cluster, we need to set the configuration ozone.security.enabled to true and hadoop.security.authentication to kerberos.
Property | Value |
---|---|
ozone.security.enabled | true |
hadoop.security.authentication | kerberos |
Tokens
Ozone uses a notion of tokens to avoid overburdening the Kerberos server. When you serve thousands of requests per second, involving Kerberos might not work well. Hence once an authentication is done, Ozone issues delegation tokens and block tokens to the clients. These tokens allow applications to do specified operations against the cluster, as if they have kerberos tickets with them. Ozone supports following kinds of tokens.
Delegation Token
Delegation tokens allow an application to impersonate a users kerberos credentials. This token is based on verification of kerberos identity and is issued by the Ozone Manager. Delegation tokens are enabled by default when security is enabled.
Block Token
Block tokens allow a client to read or write a block. This is needed so that data nodes know that the user/client has permission to read or make modifications to the block.
S3AuthInfo
S3 uses a very different shared secret security scheme. Ozone supports the AWS Signature Version 4 protocol, and from the end users perspective Ozone’s S3 feels exactly like AWS S3.
The S3 credential tokens are called S3 auth info in the code. These tokens are also enabled by default when security is enabled.
Each of the service daemons that make up Ozone needs a Kerberos service principal name and a corresponding kerberos key tab file.
All these settings should be made in ozone-site.xml.
Storage Container Manager
SCM requires two Kerberos principals, and the corresponding key tab files
for both of these principals.
Property | Description |
---|---|
hdds.scm.kerberos.principal | The SCM service principal. e.g. scm/_HOST@REALM.COM |
hdds.scm.kerberos.keytab.file | The keytab file used by SCM daemon to login as its service principal. |
hdds.scm.http.auth.kerberos.principal | SCM http server service principal if SPNEGO is enabled for SCM http server. |
hdds.scm.http.auth.kerberos.keytab | The keytab file used by SCM http server to login as its service principal if SPNEGO is enabled for SCM http server |
Ozone Manager
Like SCM, OM also requires two Kerberos principals, and the
corresponding key tab files for both of these principals.
Property | Description |
---|---|
ozone.om.kerberos.principal | The OzoneManager service principal. e.g. om/_HOST@REALM.COM |
ozone.om.kerberos.keytab.file | The keytab file used by OM daemon to login as its service principal. |
ozone.om.http.auth.kerberos.principal | Ozone Manager http server service principal if SPNEGO is enabled for om http server. |
ozone.om.http.auth.kerberos.keytab | The keytab file used by OM http server to login as its service principal if SPNEGO is enabled for om http server. |
S3 Gateway
S3 gateway requires one service principal and here the configuration values
needed in the ozone-site.xml.
Property | Description |
---|---|
ozone.s3g.kerberos.principal | S3 Gateway principal. e.g. s3g/_HOST@REALM |
ozone.s3g.kerberos.keytab.file | The keytab file used by S3 gateway. e.g. /etc/security/keytabs/s3g.keytab |
ozone.s3g.http.auth.kerberos.principal | S3 Gateway principal if SPNEGO is enabled for S3 Gateway http server. e.g. HTTP/_HOST@EXAMPLE.COM |
ozone.s3g.http.auth.kerberos.keytab | The keytab file used by S3 gateway if SPNEGO is enabled for S3 Gateway http server. |