Setup secure ozone cluster

Setup secure ozone cluster

To enable security in ozone cluster ozone.security.enabled should be set to true.

Property Value
ozone.security.enabled true

Kerberos

Configuration for service daemons:

Property Description
hdds.scm.kerberos.principal The SCM service principal. Ex scm/HOST@REALM.COM
hdds.scm.kerberos.keytab.file The keytab file used by SCM daemon to login as its service principal.
ozone.om.kerberos.principal The OzoneManager service principal. Ex om/_HOST@REALM.COM
ozone.om.kerberos.keytab.file The keytab file used by SCM daemon to login as its service principal.
hdds.scm.http.kerberos.principal SCM http server service principal.
hdds.scm.http.kerberos.keytab.file The keytab file used by SCM http server to login as its service principal.
ozone.om.http.kerberos.principal OzoneManager http server principal.
ozone.om.http.kerberos.keytab.file The keytab file used by OM http server to login as its service principal.
ozone.s3g.keytab.file The keytab file used by S3 gateway. Ex /etc/security/keytabs/HTTP.keytab
ozone.s3g.authentication.kerberos.principal S3 Gateway principal. Ex HTTP/_HOST@EXAMPLE.COM

Tokens

Delegation token

Delegation tokens are enabled by default when security is enabled.

Block Tokens

Property Value
hdds.block.token.enabled true

S3Token

S3 token are enabled by default when security is enabled. To use S3 tokens users need to perform following steps:

  • S3 clients should get the secret access id and user secret from OzoneManager.
ozone s3 getsecret
  • Setup secret in aws configs:
aws configure set default.s3.signature_version s3v4
aws configure set aws_access_key_id ${accessId}
aws configure set aws_secret_access_key ${secret}
aws configure set region us-west-1

Certificates

Certificates are used internally inside Ozone. Its enabled be default when security is enabled.

Authorization

Default access authorizer for Ozone approves every request. It is not suitable for production environments. It is recommended that clients use ranger plugin for Ozone to manage authorizations.

Property Value
ozone.acl.enabled true
ozone.acl.authorizer.class org.apache.ranger.authorization.ozone.authorizer.RangerOzoneAuthorizer

TDE

To use TDE clients must set KMS URI.

Property Value
hadoop.security.key.provider.path KMS uri. Ex kms://http@kms-host:9600/kms