[jira] [Created] (HDDS-14480) [Docs] System Internals -> Security -> Kerberos

Wed, 21 Jan 2026 18:19:04 -0800 

Wei-Chiu Chuang created HDDS-14480:
--------------------------------------

             Summary: [Docs] System Internals -> Security -> Kerberos
                 Key: HDDS-14480
                 URL: https://issues.apache.org/jira/browse/HDDS-14480
             Project: Apache Ozone
          Issue Type: Task
          Components: documentation
            Reporter: Wei-Chiu Chuang


System Internals -> Security -> Kerberos

 
h2. Kerberos and SPNEGO in Apache Ozone

Apache Ozone uses *Kerberos* for strong authentication across its services and 
clients. This ensures that only authenticated users and services can access 
Ozone resources.
h3. Kerberos Authentication

Ozone relies on the *Java SASL (Simple Authentication and Security Layer)* 
framework using the *GSS-API* mechanism for Kerberos authentication.

At startup, each Ozone service role (such as OM, SCM, or DataNode):
 # Uses its *service principal* and *keytab* to authenticate with the Kerberos 
{*}Key Distribution Center (KDC){*}.

 # Uses the local Kerberos client configuration in {{{}/etc/krb5.conf{}}}.

 # Assumes that all hosts in the same Ozone cluster typically belong to the 
same {*}Kerberos realm{*}.

Ozone also supports {*}cross-realm authentication{*}. Applications and services 
in different Kerberos realms can communicate securely if cross-realm trust is 
properly configured between the realms.
h3. SPNEGO for HTTP Access

*SPNEGO (Simple and Protected GSS-API Negotiation Mechanism)* is the 
Kerberos-based authentication mechanism used for HTTP access to Ozone services, 
such as the Ozone Manager (OM) web endpoints.

SPNEGO is widely supported by modern tools and clients, including:
 * Web browsers (Chrome, Firefox, Safari)

 * Command-line tools such as {{curl}}

Example using {{curl}} with SPNEGO:
 
 
{{curl --negotiate -u : http://om-host.example.com:9874/}}
In this mode, the client automatically uses the user’s Kerberos credentials to 
authenticate to the Ozone HTTP service without requiring usernames or passwords.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to