3.5 KiB
3.5 KiB
title | date | menu | weight | ||||
---|---|---|---|---|---|---|---|
Setup secure ozone cluster | 2019-April-03 |
|
11 |
Setup secure ozone cluster
To enable security in ozone cluster ozone.security.enabled should be set to true.
ozone.security.enabled | true |
---|
Kerberos
Configuration for service daemons:
Property | Description |
---|---|
hdds.scm.kerberos.principal | The SCM service principal. Ex scm/HOST@REALM.COM |
hdds.scm.kerberos.keytab.file | The keytab file used by SCM daemon to login as its service principal. |
ozone.om.kerberos.principal | The OzoneManager service principal. Ex om/_HOST@REALM.COM |
ozone.om.kerberos.keytab.file | The keytab file used by SCM daemon to login as its service principal. |
hdds.scm.http.kerberos.principal | SCM http server service principal. |
hdds.scm.http.kerberos.keytab | The keytab file used by SCM http server to login as its service principal. |
ozone.om.http.kerberos.principal | OzoneManager http server principal. |
ozone.om.http.kerberos.keytab | The keytab file used by OM http server to login as its service principal. |
ozone.s3g.keytab.file | The keytab file used by S3 gateway. Ex /etc/security/keytabs/HTTP.keytab |
ozone.s3g.authentication.kerberos.principal | S3 Gateway principal. Ex HTTP/_HOST@EXAMPLE.COM |
Tokens
Delegation token
Delegation tokens are enabled by default when security is enabled.
Block Tokens
hdds.block.token.enabled | true |
---|
S3Token
S3 token are enabled by default when security is enabled. To use S3 tokens users need to perform following steps:
- S3 clients should get the secret access id and user secret from OzoneManager.
ozone s3 getsecret
- Setup secret in aws configs:
aws configure set default.s3.signature_version s3v4
aws configure set aws_access_key_id ${accessId}
aws configure set aws_secret_access_key ${secret}
aws configure set region us-west-1
Certificates
Certificates are used internally inside Ozone. Its enabled be default when security is enabled.
Authorization
Default access authorizer for Ozone approves every request. It is not suitable for production environments. It is recommended that clients use ranger plugin for Ozone to manage authorizations.
Property | Description |
---|---|
ozone.acl.enabled | true |
ozone.acl.authorizer.class | org.apache.ranger.authorization.ozone.authorizer.RangerOzoneAuthorizer |
TDE
To use TDE clients must set KMS URI.
hadoop.security.key.provider.path | KMS uri. Ex kms://http@kms-host:9600/kms |
---|