Gargi-jais11 commented on code in PR #303:
URL: https://github.com/apache/ozone-site/pull/303#discussion_r2745168322
##########
docs/07-system-internals/05-security/01-kerberos.md:
##########
@@ -53,6 +80,45 @@ If these are brand new Datanodes and Kerberos key tabs are
not present at the Da
#### Automatic Approval
-If you running under an container orchestrator like Kubernetes, we rely on
Kubernetes to create a one-time token that will be given to Datanode during
boot time to prove the identity of the Datanode container (This is also work in
progress.)
+If you are running under a container orchestrator like Kubernetes, we rely on
Kubernetes to create a one-time token that will be given to Datanode during
boot time to prove the identity of the Datanode container (This is also work in
progress.)
Once a certificate is issued, a Datanode is secure and Ozone Manager can issue
block tokens. If there is no Datanode certificates or the SCM's root
certificate is not present in the Datanode, then Datanode will register itself
and download the SCM's root certificate as well get the certificates for itself.
+
+## 4. Kerberos Configurations for SCM, OM, and S3G
+
+### Storage Container Manager
+
+SCM requires **two Kerberos principals**, and the corresponding key tab files
for both of these principals.
+
+| Property | Default Value
| Description
|
+| --------------------------------------- |
-------------------------------------- |
-------------------------------------------------------------------------------------------------------------------
|
+| `hdds.scm.kerberos.principal` | `SCM/_HOST@REALM`
| The SCM service principal. e.g. `scm/[email protected]`
|
+| `hdds.scm.kerberos.keytab.file` | `/etc/security/keytabs/SCM.keytab`
| The keytab file used by SCM daemon to login as its service principal.
|
+| `hdds.scm.http.auth.kerberos.principal` | `HTTP/_HOST@REALM`
| SCM HTTP server service principal if SPNEGO is enabled for SCM HTTP
server. |
+| `hdds.scm.http.auth.kerberos.keytab` |
`/etc/security/keytabs/HTTP.keytab` | The keytab file used by SCM HTTP
server to login as its service principal if SPNEGO is enabled for SCM HTTP
server. |
Review Comment:
But I found these values in `ozone-default.xml`. Like these so I think
these are default values only.
```
<property>
<name>hdds.scm.http.auth.kerberos.principal</name>
<value>HTTP/_HOST@REALM</value>
<tag>SCM, SECURITY, KERBEROS</tag>
<description>
SCM http server service principal if SPNEGO is enabled for SCM http
server.
</description>
</property>
<property>
<name>hdds.scm.http.auth.kerberos.keytab</name>
<value>/etc/security/keytabs/HTTP.keytab</value>
<tag>SCM, SECURITY, KERBEROS</tag>
<description>
The keytab file used by SCM http server to login as its service
principal if SPNEGO is enabled for SCM http server.
</description>
</property>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
