groups

Wei-Chiu Chuang (Jira) Wed, 21 Jan 2026 09:03:20 -0800


     [ 
https://issues.apache.org/jira/browse/HDDS-14469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Wei-Chiu Chuang updated HDDS-14469:
-----------------------------------
    Description: 
Add a doc in v2 site for "Users and groups" under Core Concepts -> Security 
[https://ozone-site-v2.staged.apache.org/docs/core-concepts/security/]

 

There's not a corresponding v1 doc on this topic, so we need to come up with 
something.

Users -- every host in the cluster must have consistent mechanism to identify a 
user. If it's a Kerberized environment, a user name is mapped from the Kerberos 
principal. If it's a simple (unsecure) environment, a user is whatever a client 
it is.

Groups -- Groups mapping mechanism. Groups is only used for administrator 
privilege check.
If Ranger authorization is used, group resolution is performed at Ranger.

  was:
Write for v2 doc 
[https://ozone-site-v2.staged.apache.org/docs/core-concepts/security/kerberos]

 

There's not a corresponding v1 doc on this topic, so we need to come up with 
something.

 

What is Kerberos authentication protocol?

What Kerberos does _not_ do

How Ozone uses Kerberos
 * Client → Ozone authentication
 * Service → Service authentication (internal)

Kerberos over HTTP using SPNEGO


> CLONE - [Docs] Core Concepts -> Security -> Users/groups
> --------------------------------------------------------
>
>                 Key: HDDS-14469
>                 URL: https://issues.apache.org/jira/browse/HDDS-14469
>             Project: Apache Ozone
>          Issue Type: Task
>          Components: documentation
>            Reporter: Wei-Chiu Chuang
>            Priority: Major
>
> Add a doc in v2 site for "Users and groups" under Core Concepts -> Security 
> [https://ozone-site-v2.staged.apache.org/docs/core-concepts/security/]
>  
> There's not a corresponding v1 doc on this topic, so we need to come up with 
> something.
> Users -- every host in the cluster must have consistent mechanism to identify 
> a user. If it's a Kerberized environment, a user name is mapped from the 
> Kerberos principal. If it's a simple (unsecure) environment, a user is 
> whatever a client it is.
> Groups -- Groups mapping mechanism. Groups is only used for administrator 
> privilege check.
> If Ranger authorization is used, group resolution is performed at Ranger.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (HDDS-14469) CLONE - [Docs] Core Concepts -> Security -> Users/groups

Reply via email to