jojochuang commented on PR #266: URL: https://github.com/apache/ozone-site/pull/266#issuecomment-3782084062
TODO: System Internals -> Security -> Kerberos to add: Ozone leverages Java SASL mechanism (GSS-API). When a service role start, it uses the service principal and keytab to authenticate with the KDC server. The kerberos client is configured by the local /etc/krb5.conf. Hosts of the same cluster usually belong to the same Kerberos realm. Applications of different cluster/Kerberos realms may be able to communicate if cross realm trust is set up. Troubleshooting (this one should probably go into Troubleshooting -> Security check out Hadoop's Secure Mode page section Troubleshooting, and section Troubleshooting with KDiag https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SecureMode.html. And https://risdenk.github.io/2018/03/14/kerberos-debugging.html https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/secrets.html JVM Kerberos Library logging, JVM SPNEGO Logging, Hadoop-side JAAS debugging, OS-level Kerberos Debugging ----- System Internals -> Security -> Tokens to add block token and container token description and comparision. Block Token * Granularity: Block-level. A Block Token grants access to a single, specific block within a container. * Issuer: Ozone Manager (OM). The OM generates Block Tokens when a client requests to write or read a block. This is because the OM is responsible for managing the block namespace within the object store. * Usage Context: A Block Token is used when a client needs to perform a data-plane operation (read/write) on a specific block. For example: 1. A client wants to write data for key1. 2. It contacts the OM, which allocates a new block (e.g., block123) for key1. 3. The OM returns the location of block123 (which includes the DataNodes) and a unique Block Token for `block123`. 4. The client then uses this specific Block Token to write data for block123 to the DataNodes. * Information Carried (`BlockTokenIdentifier`): The token identifier contains: * The user/owner ID. * The BlockID it authorizes. * The access modes it permits (e.g., READ, WRITE, DELETE). Container Token * Granularity: Container-level. A Container Token grants access to an entire container, which can contain many blocks. * Issuer: Storage Container Manager (SCM). The SCM generates Container Tokens. This is logical because the SCM is responsible for managing containers and their placement across DataNodes, but it is unaware of the individual blocks inside them. * Usage Context: A Container Token is used for operations that concern the container as a whole, often for administrative or maintenance tasks that bypass the Ozone Manager. For example: 1. An administrator uses the ozone debug replicas verify command to check the integrity of replicas for a container. 2. The admin tool contacts the SCM to get a Container Token for the specified ContainerID. 3. The tool then uses this token to communicate directly with DataNodes to perform the verification. 4. Another example is when the SCM itself issues commands to DataNodes (e.g., to close a container). It generates a Container Token to authorize its own command. * Information Carried (`ContainerTokenIdentifier`): The token identifier contains: * The user/owner ID. * The ContainerID it authorizes. * It does not specify individual blocks or fine-grained access modes like a Block Token does. Summary of Key Differences ┌──────────────────┬─────────────────────────────────────────────────┬───────────────────────────────────────────────────────────────────┐ │ Feature │ Block Token │ Container Token │ ├──────────────────┼─────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────┤ │ Scope of Access │ A single Block │ An entire Container │ │ Generated By │ Ozone Manager (OM) │ Storage Container Manager (SCM) │ │ Primary Use Case │ Authorizing client data operations (read/write) │ Authorizing administrative or management operations on containers │ │ Typical User │ End-client applications writing/reading keys │ Ozone-internal processes (like SCM) or admin tools (ozone debug) │ └──────────────────┴─────────────────────────────────────────────────┴───────────────────────────────────────────────────────────────────┘ In short, think of it like this: * A Block Token is your ticket to a specific seat in a movie theater, given to you by the box office (Ozone Manager). * A Container Token is a master key for the entire theater room, given to you by the building manager (SCM) for maintenance or inspection purposes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
