[jira] [Commented] (HDDS-15189) [Docs] mTLS usage in Ozone

Wei-Chiu Chuang (Jira) Wed, 06 May 2026 10:40:10 -0700


    [ 
https://issues.apache.org/jira/browse/HDDS-15189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18078744#comment-18078744
 ]


Wei-Chiu Chuang commented on HDDS-15189:
----------------------------------------

  In Apache Ozone, mTLS requirements are split across two distinct 
communication layers:

  
┌─────────────────────┬──────────────┬──────────────────────┬────────────────────────────────────────────────┐
  │ Communication Layer │ Protocol     │ mTLS Requirement     │ Configuration 
Key(s)                           │
  
├─────────────────────┼──────────────┼──────────────────────┼────────────────────────────────────────────────┤
  │ Peer-to-Peer (Core) │ gRPC / Ratis │ Required (Hardcoded) │ 
ozone.security.enabled & hdds.grpc.tls.enabled │
  │ Management / Web    │ HTTPS        │ Optional             │ 
ozone.https.client.need-auth (Default: false)  │
  
└─────────────────────┴──────────────┴──────────────────────┴────────────────────────────────────────────────┘

  For the primary peer-to-peer communication (consensus, replication, 
heartbeats), Ozone effectively mandates mTLS by default whenever TLS is enabled 
in a
  secure cluster, using the SCM's internal Certificate Authority to issue and 
verify peer identities. For the HTTPS layer, mTLS is an optional extra
  security measure.

  Clients (including the S3 Gateway) are often treated as "external" entities. 
While the S3 Gateway is part of the Ozone distribution, it utilizes the
  standard client libraries which are designed to work from machines that don't 
have SCM-issued certificates, relying instead on Kerberos for identity and
  tokens for data access.

> [Docs] mTLS usage in Ozone
> --------------------------
>
>                 Key: HDDS-15189
>                 URL: https://issues.apache.org/jira/browse/HDDS-15189
>             Project: Apache Ozone
>          Issue Type: Task
>          Components: documentation
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>            Priority: Major
>
> The web UI page mentions mTLS for the web UI for clients: 
> https://ozone.apache.org/docs/next/administrator-guide/configuration/basic/network/default-ports/
>  
> We need to mTLS usage within the cluster in the default ports used by Ozone: 
> https://ozone.apache.org/docs/next/administrator-guide/configuration/basic/network/default-ports/
>  or configuring gRPC with TLS: 
> https://ozone.apache.org/docs/next/administrator-guide/configuration/security/encryption/network-encryption/grpc



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HDDS-15189) [Docs] mTLS usage in Ozone

Reply via email to