[jira] [Assigned] (HDDS-14480) [Docs] System Internals -> Security -> Kerberos

Sun, 25 Jan 2026 09:33:08 -0800 


     [ 
https://issues.apache.org/jira/browse/HDDS-14480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gargi Jaiswal reassigned HDDS-14480:
------------------------------------

    Assignee: Gargi Jaiswal

> [Docs] System Internals -> Security -> Kerberos
> -----------------------------------------------
>
>                 Key: HDDS-14480
>                 URL: https://issues.apache.org/jira/browse/HDDS-14480
>             Project: Apache Ozone
>          Issue Type: Sub-task
>          Components: documentation
>            Reporter: Wei-Chiu Chuang
>            Assignee: Gargi Jaiswal
>            Priority: Major
>
> System Internals -> Security -> Kerberos
>  
> h2. Kerberos and SPNEGO in Apache Ozone
> Apache Ozone uses *Kerberos* for strong authentication across its services 
> and clients. This ensures that only authenticated users and services can 
> access Ozone resources.
> h3. Kerberos Authentication
> Ozone relies on the *Java SASL (Simple Authentication and Security Layer)* 
> framework using the *GSS-API* mechanism for Kerberos authentication.
> At startup, each Ozone service role (such as OM, SCM, or DataNode):
>  # Uses its *service principal* and *keytab* to authenticate with the 
> Kerberos {*}Key Distribution Center (KDC){*}.
>  # Uses the local Kerberos client configuration in {{{}/etc/krb5.conf{}}}.
>  # Assumes that all hosts in the same Ozone cluster typically belong to the 
> same {*}Kerberos realm{*}.
> Ozone also supports {*}cross-realm authentication{*}. Applications and 
> services in different Kerberos realms can communicate securely if cross-realm 
> trust is properly configured between the realms.
> h3. SPNEGO for HTTP Access
> *SPNEGO (Simple and Protected GSS-API Negotiation Mechanism)* is the 
> Kerberos-based authentication mechanism used for HTTP access to Ozone 
> services, such as the Ozone Manager (OM) web endpoints.
> SPNEGO is widely supported by modern tools and clients, including:
>  * Web browsers (Chrome, Firefox, Safari)
>  * Command-line tools such as {{curl}}
> Example using {{curl}} with SPNEGO:
>  
>  
> {{curl --negotiate -u : http://om-host.example.com:9874/}}
> In this mode, the client automatically uses the user’s Kerberos credentials 
> to authenticate to the Ozone HTTP service without requiring usernames or 
> passwords.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to