Re: [PR] HDDS-14480. [Docs] System Internals -> Security -> Kerberos [ozone-site]

Fri, 30 Jan 2026 01:01:53 -0800 


chungen0126 commented on code in PR #303:
URL: https://github.com/apache/ozone-site/pull/303#discussion_r2745286020


##########
docs/07-system-internals/05-security/01-kerberos.md:
##########
@@ -53,6 +80,45 @@ If these are brand new Datanodes and Kerberos key tabs are 
not present at the Da
 
 #### Automatic Approval
 
-If you running under an container orchestrator like Kubernetes, we rely on 
Kubernetes to create a one-time token that will be given to Datanode during 
boot time to prove the identity of the Datanode container (This is also work in 
progress.)
+If you are running under a container orchestrator like Kubernetes, we rely on 
Kubernetes to create a one-time token that will be given to Datanode during 
boot time to prove the identity of the Datanode container (This is also work in 
progress.)
 
 Once a certificate is issued, a Datanode is secure and Ozone Manager can issue 
block tokens. If there is no Datanode certificates or the SCM's root 
certificate is not present in the Datanode, then Datanode will register itself 
and download the SCM's root certificate as well get the certificates for itself.
+
+## 4. Kerberos Configurations for SCM, OM, and S3G
+
+### Storage Container Manager
+
+SCM requires **two Kerberos principals**, and the corresponding key tab files 
for both of these principals.
+
+| Property                                | Default Value                      
    | Description                                                               
                                          |
+| --------------------------------------- | 
-------------------------------------- | 
-------------------------------------------------------------------------------------------------------------------
 |
+| `hdds.scm.kerberos.principal`           | `SCM/_HOST@REALM`                  
    | The SCM service principal. e.g. `scm/[email protected]`                     
                                          |
+| `hdds.scm.kerberos.keytab.file`         | `/etc/security/keytabs/SCM.keytab` 
    | The keytab file used by SCM daemon to login as its service principal.     
                                          |
+| `hdds.scm.http.auth.kerberos.principal` | `HTTP/_HOST@REALM`                 
    | SCM HTTP server service principal if SPNEGO is enabled for SCM HTTP 
server.                                         |
+| `hdds.scm.http.auth.kerberos.keytab`    | 
`/etc/security/keytabs/HTTP.keytab`    | The keytab file used by SCM HTTP 
server to login as its service principal if SPNEGO is enabled for SCM HTTP 
server. |

Review Comment:
   My bad, I see them now in `ozone-default.xml`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to