[GitHub] [ozone] dineshchitlangia commented on a change in pull request #1788: HDDS-2212. Genconf tool should generate config files for secure clust…

Sat, 13 Feb 2021 20:41:01 -0800 


dineshchitlangia commented on a change in pull request #1788:
URL: https://github.com/apache/ozone/pull/1788#discussion_r575751760



##########
File path: hadoop-hdds/common/src/main/resources/ozone-default.xml
##########
@@ -2143,57 +2187,65 @@
   </property>
   <property>
     <name>ozone.recon.http.auth.kerberos.keytab</name>
-    <value/>
-    <tag>RECON, SECURITY</tag>
+    <value>/path/to/HTTP.keytab</value>
+    <tag>RECON, SECURITY, KERBEROS</tag>
     <description>
       The keytab file for HTTP Kerberos authentication in Recon.
     </description>
   </property>
   <property>
     <name>ozone.recon.http.auth.kerberos.principal</name>
-    <value/>
-    <tag>RECON</tag>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>RECON, KERBEROS</tag>

Review comment:
       Add tag SECURITY  in line with other similar configs.

##########
File path: hadoop-hdds/common/src/main/resources/ozone-default.xml
##########
@@ -1699,31 +1740,34 @@
   </property>
   <property>
     <name>ozone.om.kerberos.keytab.file</name>
-    <value></value>
-    <tag> OZONE, SECURITY</tag>
+    <value/>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description> The keytab file used by OzoneManager daemon to login as its
       service principal. The principal name is configured with
       ozone.om.kerberos.principal.
     </description>
   </property>
   <property>
     <name>ozone.om.kerberos.principal</name>
-    <value></value>
-    <tag> OZONE, SECURITY</tag>
+    <value/>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>The OzoneManager service principal. Ex 
om/[email protected]</description>
   </property>
   <property>
     <name>ozone.om.http.auth.kerberos.principal</name>
-    <value>HTTP/[email protected]</value>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>
-      OzoneManager http server kerberos principal.
+      Ozone Manager http server service principal if SPNEGO is enabled for om 
http server.
     </description>
   </property>
   <property>
     <name>ozone.om.http.auth.kerberos.keytab</name>
-    <value>/etc/security/keytabs/HTTP.keytab</value>
+    <value>/path/to/HTTP.keytab</value>

Review comment:
       I wouldn't recommend changing the default value of the path to keytab on 
all such occurrences.
   From what I have seen, most admins keep the keytabs at /etc/security/keytabs.
   
   If we avoid changing this, then only a very few subset of users would have 
to change this in the template before using.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to