sarvekshayr commented on code in PR #220: URL: https://github.com/apache/ozone-site/pull/220#discussion_r2664421089
########## docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/03-https.md: ########## @@ -2,6 +2,118 @@ sidebar_label: HTTPS --- -# Configuring HTTPS +# HTTPS -**TODO:** File a subtask under [HDDS-9859](https://issues.apache.org/jira/browse/HDDS-9859) and complete this page or section. +This document describes how to configure Ozone HTTP web-consoles to require user authentication. + +## Default authentication + +By default Ozone HTTP web-consoles (OM, SCM, S3G, Recon, Datanode) allow access without authentication based on the following default configurations. + +| Property | Value | +|----------|-------| +| `ozone.security.http.kerberos.enabled` | `false` | +| `ozone.http.filter.initializers` | | + +If you have an SPNEGO enabled Ozone cluster and want to disable it for all Ozone services, just make sure the two key mentioned are configured as above. + +## Kerberos based SPNEGO authentication + +However, they can be configured to require Kerberos authentication using HTTP SPNEGO protocol (supported by browsers like Firefox and Chrome). To achieve that, the following keys must be configured first. + +| Property | Value | +|----------|-------| +| `hadoop.security.authentication` | `kerberos` | +| `ozone.security.http.kerberos.enabled` | `true` | +| `ozone.http.filter.initializers` | `org.apache.hadoop.security.AuthenticationFilterInitializer` | + +After that, individual component needs to configure properly to completely enable SPNEGO or SIMPLE authentication. + +## Enable SPNEGO authentication for OM HTTP + +| Property | Value | +|----------|-------| +| `ozone.om.http.auth.type` | `kerberos` | +| `ozone.om.http.auth.kerberos.principal` | `HTTP/_HOST@REALM` | +| `ozone.om.http.auth.kerberos.keytab` | `/path/to/HTTP.keytab` | + +## Enable SPNEGO authentication for S3G HTTP + +| Property | Value | +|----------|-------| +| `ozone.s3g.http.auth.type` | `kerberos` | +| `ozone.s3g.http.auth.kerberos.principal` | `HTTP/_HOST@REALM` | +| `ozone.s3g.http.auth.kerberos.keytab` | `/path/to/HTTP.keytab` | + +## Enable SPNEGO authentication for Recon HTTP + +| Property | Value | +|----------|-------| +| `ozone.recon.http.auth.type` | `kerberos` | +| `ozone.recon.http.auth.kerberos.principal` | `HTTP/_HOST@REALM` | +| `ozone.recon.http.auth.kerberos.keytab` | `/path/to/HTTP.keytab` | + +## Enable SPNEGO authentication for SCM HTTP + +| Property | Value | +|----------|-------| +| `ozone.scm.http.auth.type` | `kerberos` | +| `ozone.scm.http.auth.kerberos.principal` | `HTTP/_HOST@REALM` | +| `ozone.scm.http.auth.kerberos.keytab` | `/path/to/HTTP.keytab` | + +## Enable SPNEGO authentication for Datanode HTTP + +| Property | Value | +|----------|-------| +| `ozone.datanode.http.auth.type` | `kerberos` | +| `ozone.datanode.http.auth.kerberos.principal` | `HTTP/_HOST@REALM` | +| `ozone.datanode.http.auth.kerberos.keytab` | `/path/to/HTTP.keytab` | + +Note: Ozone Datanode does not have a default webpage, which prevents you from accessing “/” or “/index.html”. But it does provide standard servlet like `jmx/conf/jstack` via HTTP. Review Comment: Now that `jstack` is quoted, it no longer throws spelling CI error. You can exclude it from `cspell.yaml` ########## docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/03-https.md: ########## @@ -2,6 +2,118 @@ sidebar_label: HTTPS --- -# Configuring HTTPS +# HTTPS Review Comment: Let's retain this title - ```suggestion # Configuring HTTPS ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
