--- title: "Setup secure ozone cluster" date: "2019-April-03" menu: main: parent: Architecture weight: 11 --- # Setup secure ozone cluster # To enable security in ozone cluster **ozone.security.enabled** should be set to true. Property|Value ----------------------|------ ozone.security.enabled| true ## Kerberos ## Configuration for service daemons: Property|Description --------|------------------------------------------------------------ hdds.scm.kerberos.principal | The SCM service principal. Ex scm/_HOST@REALM.COM_ hdds.scm.kerberos.keytab.file |The keytab file used by SCM daemon to login as its service principal. ozone.om.kerberos.principal |The OzoneManager service principal. Ex om/_HOST@REALM.COM ozone.om.kerberos.keytab.file |The keytab file used by SCM daemon to login as its service principal. hdds.scm.http.kerberos.principal|SCM http server service principal. hdds.scm.http.kerberos.keytab.file|The keytab file used by SCM http server to login as its service principal. ozone.om.http.kerberos.principal|OzoneManager http server principal. ozone.om.http.kerberos.keytab.file|The keytab file used by OM http server to login as its service principal. ozone.s3g.keytab.file |The keytab file used by S3 gateway. Ex /etc/security/keytabs/HTTP.keytab ozone.s3g.authentication.kerberos.principal|S3 Gateway principal. Ex HTTP/_HOST@EXAMPLE.COM ## Tokens ## ## Delegation token ## Delegation tokens are enabled by default when security is enabled. ## Block Tokens ## Property|Value -----------------------------|------ hdds.block.token.enabled | true ## S3Token ## S3 token are enabled by default when security is enabled. To use S3 tokens users need to perform following steps: * S3 clients should get the secret access id and user secret from OzoneManager. ``` ozone s3 getsecret ``` * Setup secret in aws configs: ``` aws configure set default.s3.signature_version s3v4 aws configure set aws_access_key_id ${accessId} aws configure set aws_secret_access_key ${secret} aws configure set region us-west-1 ``` ## Certificates ## Certificates are used internally inside Ozone. Its enabled be default when security is enabled. ## Authorization ## Default access authorizer for Ozone approves every request. It is not suitable for production environments. It is recommended that clients use ranger plugin for Ozone to manage authorizations. Property|Value --------|------------------------------------------------------------ ozone.acl.enabled | true ozone.acl.authorizer.class| org.apache.ranger.authorization.ozone.authorizer.RangerOzoneAuthorizer ## TDE ## To use TDE clients must set KMS URI. Property|Value -----------------------------------|----------------------------------------- hadoop.security.key.provider.path | KMS uri. Ex kms://http@kms-host:9600/kms