hadoop-yetus commented on a change in pull request #687: HDDS-1329. Update documentation for Ozone-0.4.0 release. Contributed By Ajay Kumar. URL: https://github.com/apache/hadoop/pull/687#discussion_r271900729
########## File path: hadoop-hdds/docs/content/SetupSecureOzone.md ########## @@ -0,0 +1,88 @@ +--- +title: "Setup secure ozone cluster" +date: "2019-April-03" +menu: + main: + parent: Architecture +weight: 11 +--- +<!--- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +# Setup secure ozone cluster # + +To enable security in ozone cluster **ozone.security.enabled** should be set to true. + +ozone.security.enabled| true +----------------------|------ + +## Kerberos ## +Configuration for service daemons: + +Property|Description +--------|------------------------------------------------------------ +hdds.scm.kerberos.principal | The SCM service principal. Ex scm/_HOST@REALM.COM_ +hdds.scm.kerberos.keytab.file |The keytab file used by SCM daemon to login as its service principal. +ozone.om.kerberos.principal |The OzoneManager service principal. Ex om/_h...@realm.com +ozone.om.kerberos.keytab.file |The keytab file used by SCM daemon to login as its service principal. +hdds.scm.http.kerberos.principal|SCM http server service principal. +hdds.scm.http.kerberos.keytab |The keytab file used by SCM http server to login as its service principal. +ozone.om.http.kerberos.principal|OzoneManager http server principal. +ozone.om.http.kerberos.keytab |The keytab file used by OM http server to login as its service principal. +ozone.s3g.keytab.file |The keytab file used by S3 gateway. Ex /etc/security/keytabs/HTTP.keytab +ozone.s3g.authentication.kerberos.principal|S3 Gateway principal. Ex HTTP/_h...@example.com + +## Tokens ## + +## Delegation token ## +Delegation tokens are enabled by default when security is enabled. + +## Block Tokens ## +hdds.block.token.enabled | true +-----------------------------|------ + +## S3Token ## +S3 token are enabled by default when security is enabled. +To use S3 tokens users need to perform following steps: +* S3 clients should get the secret access id and user secret from OzoneManager. +``` +ozone s3 getsecret +``` +* Setup secret in aws configs: +``` +aws configure set default.s3.signature_version s3v4 +aws configure set aws_access_key_id ${accessId} +aws configure set aws_secret_access_key ${secret} Review comment: whitespace:end of line ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
