[
https://issues.apache.org/jira/browse/HDDS-14480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18054564#comment-18054564
]
Gargi Jaiswal commented on HDDS-14480:
--------------------------------------
[~weichiu]
[https://ozone-site-v2.staged.apache.org/docs/system-internals/security/kerberos|https://ozone-site-v2.staged.apache.org/docs/system-internals/features/]
This page already contains information about *How Ozone Uses Kerberos* and
{*}How to secure Datanodes{*}. So do you want the above content to be added in
this page or create a subpage under kerberos, say *Kerberos and SPNEGO.*
> [Docs] System Internals -> Security -> Kerberos
> -----------------------------------------------
>
> Key: HDDS-14480
> URL: https://issues.apache.org/jira/browse/HDDS-14480
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: documentation
> Reporter: Wei-Chiu Chuang
> Assignee: Gargi Jaiswal
> Priority: Major
>
> System Internals -> Security -> Kerberos
>
> h2. Kerberos and SPNEGO in Apache Ozone
> Apache Ozone uses *Kerberos* for strong authentication across its services
> and clients. This ensures that only authenticated users and services can
> access Ozone resources.
> h3. Kerberos Authentication
> Ozone relies on the *Java SASL (Simple Authentication and Security Layer)*
> framework using the *GSS-API* mechanism for Kerberos authentication.
> At startup, each Ozone service role (such as OM, SCM, or DataNode):
> # Uses its *service principal* and *keytab* to authenticate with the
> Kerberos {*}Key Distribution Center (KDC){*}.
> # Uses the local Kerberos client configuration in {{{}/etc/krb5.conf{}}}.
> # Assumes that all hosts in the same Ozone cluster typically belong to the
> same {*}Kerberos realm{*}.
> Ozone also supports {*}cross-realm authentication{*}. Applications and
> services in different Kerberos realms can communicate securely if cross-realm
> trust is properly configured between the realms.
> h3. SPNEGO for HTTP Access
> *SPNEGO (Simple and Protected GSS-API Negotiation Mechanism)* is the
> Kerberos-based authentication mechanism used for HTTP access to Ozone
> services, such as the Ozone Manager (OM) web endpoints.
> SPNEGO is widely supported by modern tools and clients, including:
> * Web browsers (Chrome, Firefox, Safari)
> * Command-line tools such as {{curl}}
> Example using {{curl}} with SPNEGO:
>
>
> {{curl --negotiate -u : http://om-host.example.com:9874/}}
> In this mode, the client automatically uses the user’s Kerberos credentials
> to authenticate to the Ozone HTTP service without requiring usernames or
> passwords.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
