This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch HDDS-9225-website-v2
in repository https://gitbox.apache.org/repos/asf/ozone-site.git
The following commit(s) were added to refs/heads/HDDS-9225-website-v2 by this
push:
new ee997032a HDDS-13153. [Docs] Add Httpfs, Recon kerberos configurations
in Administrator Guide/Configuration/Security/Kerberos (#255)
ee997032a is described below
commit ee997032a721f5676d4ec5f3f8c260b7c988fc29
Author: Wei-Chiu Chuang <[email protected]>
AuthorDate: Wed Jan 21 08:18:56 2026 -0800
HDDS-13153. [Docs] Add Httpfs, Recon kerberos configurations in
Administrator Guide/Configuration/Security/Kerberos (#255)
---
.../02-configuration/03-security/02-kerberos.md | 29 ++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git
a/docs/05-administrator-guide/02-configuration/03-security/02-kerberos.md
b/docs/05-administrator-guide/02-configuration/03-security/02-kerberos.md
index f0803d2db..196cc48c7 100644
--- a/docs/05-administrator-guide/02-configuration/03-security/02-kerberos.md
+++ b/docs/05-administrator-guide/02-configuration/03-security/02-kerberos.md
@@ -46,6 +46,10 @@ SCM requires two Kerberos principals, and the corresponding
key tab files for bo
| `hdds.scm.http.auth.kerberos.principal` | SCM HTTP server service principal
if SPNEGO is enabled for SCM HTTP server. |
| `hdds.scm.http.auth.kerberos.keytab` | The keytab file used by SCM HTTP
server to login as its service principal if SPNEGO is enabled for SCM HTTP
server. |
+:::note
+For general configuration on enabling Kerberos based SPNEGO authentication for
HTTP web-consoles, refer to [Configuring
HTTPS](/docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/03-https.md).
+:::
+
## Ozone Manager
Like SCM, OM also requires two Kerberos principals, and the corresponding key
tab files for both of these principals.
@@ -68,6 +72,31 @@ S3 Gateway requires one service principal and here the
configuration values need
| `ozone.s3g.http.auth.kerberos.principal` | S3 Gateway principal if SPNEGO is
enabled for S3 Gateway HTTP server. e.g. `HTTP/[email protected]` |
| `ozone.s3g.http.auth.kerberos.keytab` | The keytab file used by S3 Gateway
if SPNEGO is enabled for S3 Gateway HTTP server. |
+## HttpFS Gateway
+
+The HttpFS gateway offers an HDFS-compatible REST API (`webhdfs`). It requires
Kerberos for its client-facing HTTP endpoint and for its internal connection to
the Ozone Manager (which acts as an HDFS NameNode proxy).
+
+| Property | Description |
+|---|---|
+| `hadoop.http.authentication.type` | Defines the authentication mechanism
used by HttpFS for its HTTP clients. Valid values are `simple` or `kerberos`.
Set to `kerberos` for SPNEGO. |
+| `hadoop.http.authentication.kerberos.principal` | The HTTP Kerberos
principal used by HttpFS for its client-facing HTTP endpoint. This MUST start
with `HTTP/` (e.g., `HTTP/${httpfs.hostname}@${kerberos.realm}`). |
+| `hadoop.http.authentication.kerberos.keytab` | The Kerberos keytab file for
the client-facing HTTP principal. e.g., `${user.home}/httpfs.keytab`. |
+| `httpfs.hadoop.authentication.type` | Defines the authentication mechanism
used by HttpFS to connect to the HDFS NameNode (Ozone Manager). Valid values
are `simple` (default) or `kerberos`. |
+| `httpfs.hadoop.authentication.kerberos.principal` | The Kerberos principal
used by HttpFS to connect to the HDFS NameNode (Ozone Manager). e.g.,
`${user.name}/${httpfs.hostname}@${kerberos.realm}`. |
+| `httpfs.hadoop.authentication.kerberos.keytab` | The Kerberos keytab file
for the principal used to connect to the HDFS NameNode (Ozone Manager). e.g.,
`${user.home}/httpfs.keytab`. |
+
+## Recon Server
+
+Recon provides monitoring and management capabilities and can be secured using
Kerberos authentication for its web UI and REST endpoints.
+
+| Property | Description |
+|---|---|
+| `ozone.recon.http.auth.type` | Sets Recon's HTTP authentication type. Set to
`kerberos` for SPNEGO. |
+| `ozone.recon.http.auth.kerberos.principal` | The service principal for the
Recon HTTP endpoint. e.g., `HTTP/_HOST@REALM`. |
+| `ozone.recon.http.auth.kerberos.keytab` | The keytab file for the Recon HTTP
principal. e.g., `/path/to/HTTP.keytab`. |
+
+Access to Recon's admin-only APIs is controlled by `ozone.administrators` or
`ozone.recon.administrators` lists. Refer to [Configuring Ozone
Administrators](/docs/administrator-guide/configuration/security/administrators)
for more details.
+
## Securing Datanodes
Datanodes under Hadoop is traditionally secured by creating a Keytab file on
the Datanodes. With Ozone, we have moved away to using Datanode certificates.
That is, Kerberos on Datanodes is not needed in case of a secure Ozone cluster.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
