diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java index cfecd0f66e..212966e0ff 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java @@ -365,7 +365,7 @@ public final class ScmConfigKeys { "hdds.scm.http.kerberos.principal"; public static final String HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = - "hdds.scm.http.kerberos.keytab.file"; + "hdds.scm.http.kerberos.keytab"; // Network topology public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE = diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index f4e4ce5e1e..abd36041aa 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -1819,7 +1819,7 @@ HTTP/_HOST@EXAMPLE.COM - hdds.scm.http.kerberos.keytab.file + hdds.scm.http.kerberos.keytab /etc/security/keytabs/HTTP.keytab @@ -1831,7 +1831,7 @@ - ozone.om.http.kerberos.keytab.file + ozone.om.http.kerberos.keytab /etc/security/keytabs/HTTP.keytab OzoneManager http server kerberos keytab. diff --git a/hadoop-hdds/docs/content/security/SecureOzone.md b/hadoop-hdds/docs/content/security/SecureOzone.md index 73da57c625..cf6668b44d 100644 --- a/hadoop-hdds/docs/content/security/SecureOzone.md +++ b/hadoop-hdds/docs/content/security/SecureOzone.md @@ -102,7 +102,7 @@ All these settings should be made in ozone-site.xml. SCM http server service principal. - hdds.scm.http.kerberos.keytab.file + hdds.scm.http.kerberos.keytab The keytab file used by SCM http server to login as its service principal. @@ -126,7 +126,7 @@ All these settings should be made in ozone-site.xml. - ozone.om.kerberos.principal + ozone.om.kerberos.principal The OzoneManager service principal. e.g. om/_HOST@REALM .COM @@ -139,7 +139,7 @@ All these settings should be made in ozone-site.xml. Ozone Manager http server service principal. - ozone.om.http.kerberos.keytab.file + ozone.om.http.kerberos.keytab The keytab file used by OM http server to login as its service principal. diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java index 35431faa02..dcb9b5cdea 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java @@ -213,7 +213,7 @@ private OMConfigKeys() { public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om" + ".kerberos.principal"; public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE = - "ozone.om.http.kerberos.keytab.file"; + "ozone.om.http.kerberos.keytab"; public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY = "ozone.om.http.kerberos.principal"; // Delegation token related keys diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config index e427185f36..6565eefeac 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config @@ -35,9 +35,9 @@ OZONE_SITE.XML_ozone.administrators=* OZONE-SITE.XML_ozone.security.enabled=true OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM -OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab +OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM -OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab +OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config index ebe1f772c6..60d1fcf6eb 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config @@ -43,9 +43,9 @@ OZONE-SITE.XML_ozone.acl.enabled=true OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer OZONE-SITE.XML_ozone.administrators=* OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM -OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab +OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM -OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab +OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM @@ -58,6 +58,21 @@ CORE-SITE.XML_hadoop.security.authentication=kerberos CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/ CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms +CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false +CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret +CORE-SITE.XML_hadoop.http.authentication.type=kerberos +CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM +CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab +CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer + +LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server +.AuthenticationFilter=DEBUG +LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server +.KerberosAuthenticationHandler=TRACE +LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.http.HttpServer2=TRACE + + + CORE-SITE.XML_hadoop.security.authorization=true HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=* HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=*