rich7420 commented on code in PR #303:
URL: https://github.com/apache/ozone-site/pull/303#discussion_r2745124649
##########
docs/07-system-internals/05-security/01-kerberos.md:
##########
@@ -53,6 +80,45 @@ If these are brand new Datanodes and Kerberos key tabs are
not present at the Da
#### Automatic Approval
-If you running under an container orchestrator like Kubernetes, we rely on
Kubernetes to create a one-time token that will be given to Datanode during
boot time to prove the identity of the Datanode container (This is also work in
progress.)
+If you are running under a container orchestrator like Kubernetes, we rely on
Kubernetes to create a one-time token that will be given to Datanode during
boot time to prove the identity of the Datanode container (This is also work in
progress.)
Once a certificate is issued, a Datanode is secure and Ozone Manager can issue
block tokens. If there is no Datanode certificates or the SCM's root
certificate is not present in the Datanode, then Datanode will register itself
and download the SCM's root certificate as well get the certificates for itself.
+
+## 4. Kerberos Configurations for SCM, OM, and S3G
+
+### Storage Container Manager
+
+SCM requires **two Kerberos principals**, and the corresponding key tab files
for both of these principals.
+
+| Property | Default Value
| Description
|
+| --------------------------------------- |
-------------------------------------- |
-------------------------------------------------------------------------------------------------------------------
|
+| `hdds.scm.kerberos.principal` | `SCM/_HOST@REALM`
| The SCM service principal. e.g. `scm/[email protected]`
|
+| `hdds.scm.kerberos.keytab.file` | `/etc/security/keytabs/SCM.keytab`
| The keytab file used by SCM daemon to login as its service principal.
|
+| `hdds.scm.http.auth.kerberos.principal` | `HTTP/_HOST@REALM`
| SCM HTTP server service principal if SPNEGO is enabled for SCM HTTP
server. |
+| `hdds.scm.http.auth.kerberos.keytab` |
`/etc/security/keytabs/HTTP.keytab` | The keytab file used by SCM HTTP
server to login as its service principal if SPNEGO is enabled for SCM HTTP
server. |
+
+### Ozone Manager
+
+Like SCM, OM also requires **two Kerberos principals**, and the corresponding
key tab files for both of these principals.
+
+| Property | Default Value
| Description
|
+| --------------------------------------- | ----------------------------------
|
-----------------------------------------------------------------------------------------------------------------
|
+| `ozone.om.kerberos.principal` | `OM/_HOST@REALM`
| The OzoneManager service principal. e.g. `om/[email protected]`
|
+| `ozone.om.kerberos.keytab.file` | `/etc/security/keytabs/OM.keytab`
| The keytab file used by OM daemon to login as its service principal.
|
+| `ozone.om.http.auth.kerberos.principal` | `HTTP/_HOST@REALM`
| Ozone Manager HTTP server service principal if SPNEGO is enabled for OM HTTP
server. |
+| `ozone.om.http.auth.kerberos.keytab` |
`/etc/security/keytabs/HTTP.keytab`| The keytab file used by OM HTTP server to
login as its service principal if SPNEGO is enabled for OM HTTP server. |
+
+### S3 Gateway
+
+S3 Gateway requires **one service principal** and here the configuration
values needed in the `ozone-site.xml`.
Review Comment:
```suggestion
S3 Gateway requires at least one Kerberos principal for the gateway service
(`ozone.s3g.kerberos.principal` and `ozone.s3g.kerberos.keytab.file`). If
SPNEGO is enabled for the S3 Gateway HTTP server, configure a second principal
and keytab via `ozone.s3g.http.auth.kerberos.principal` and
`ozone.s3g.http.auth.kerberos.keytab`. All of these are set in `ozone-site.xml`.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
