From b7d17fd0ae46031c6c6d3add976fa27232735ef7 Mon Sep 17 00:00:00 2001
From: Xiang Zhang <mm1201@mail.ustc.edu.cn>
Date: Wed, 8 Jul 2020 09:37:06 +0800
Subject: [PATCH 1/6] HDDS-2766. security/SecuringDataNodes.md

---
 .../content/security/SecuringDatanodes.zh.md  | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
diff --git a/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md b/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
new file mode 100644
index 000000000000..414adb2400e9
--- /dev/null
+++ b/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
@@ -0,0 +1,53 @@
+---
+title: "安全化 Datanode"
+date: "2019-April-03"
+weight: 2
+summary:  解释安全化 datanode 的不同模式，包括 Kerberos、证书的手动颁发和自动颁发等。
+icon: th
+---
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+
+过去，Hadoop 中 datanode 的安全机制是通过在节点上创建 Keytab 文件实现的，而 Ozone 改用 datanode 证书，在安全的 Ozone 集群中，datanode 不再需要 Kerberos。
+
+但是我们也支持传统的基于 Kerberos 的认证来方便现有用户，用户只需要在 hdfs-site.xml 里配置下面参数即可：
+
+参数名|描述
+--------|--------------
+dfs.datanode.kerberos.principal| datanode 的服务主体名 <br/> 比如：dn/_HOST@REALM.COM
+dfs.datanode.keytab.file| datanode 进程所使用的 keytab 文件
+hdds.datanode.http.kerberos.principal| datanode http 服务器的服务主体名
+hdds.datanode.http.kerberos.keytab| datanode http 服务器所使用的 keytab 文件
+
+
+## 如何安全化 datanode
+
+在 Ozone 中，当 datanode 启动并发现 SCM 的地址之后，datanode 要做的第一件事就是创建私钥并向 SCM 发送证书请求。
+
+<h3>通过 Kerberos 颁发证书<span class="badge badge-secondary">当前模型</span></h3>
+SCM 有一个内置的 CA 用来批准证书请求，如果 datanode 已经有一个 Kerberos keytab，SCM 会信任它并自动颁发一个证书。
+
+
+<h3>手动颁发<span class="badge badge-primary">开发中</span></h3>
+如果 datanode 是新加入的并且没有 keytab，那么证书请求需要等待管理员的批准。换句话说，信任关系链由集群管理员建立。
+
+<h3>自动颁发 <span class="badge badge-secondary">开发中</span></h3>
+如果你通过 Kubernetes 这样的容器编排软件运行 Ozone，Kubernetes 需要为 datanode 创建一次性 token，用于在启动阶段证明 datanode 容器的身份。（这个特性也正在开发中。）
+
+
+证书颁发后，datanode 的安全就得到了保障，并且 OM 可以颁发块 token。如果 datanode 没有证书或者 SCM 的根证书，datanode 会自动进行注册，下载 SCM 的根证书，并获取自己的证书。

From 592bf67f0cd171238bfe45061df880569a0b8d63 Mon Sep 17 00:00:00 2001
From: Xiang Zhang <mm1201@mail.ustc.edu.cn>
Date: Thu, 9 Jul 2020 21:17:52 +0800
Subject: [PATCH 2/6] HDDS-2766. security/SecuringDataNodes.md

---
 .../content/security/SecuringDatanodes.md     | 32 +++++++++----------
 .../content/security/SecuringDatanodes.zh.md  |  8 ++---
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/hadoop-hdds/docs/content/security/SecuringDatanodes.md b/hadoop-hdds/docs/content/security/SecuringDatanodes.md
index 6b7d82365cbf..950b3b9646e9 100644
--- a/hadoop-hdds/docs/content/security/SecuringDatanodes.md
+++ b/hadoop-hdds/docs/content/security/SecuringDatanodes.md
@@ -2,7 +2,7 @@
 title: "Securing Datanodes"
 date: "2019-April-03"
 weight: 2
-summary:  Explains different modes of securing data nodes. These range from kerberos to auto approval.
+summary:  Explains different modes of securing datanodes. These range from kerberos to auto approval.
 icon: th
 ---
 <!---
@@ -24,8 +24,8 @@ icon: th
 
 
 Datanodes under Hadoop is traditionally secured by creating a Keytab file on
-the data nodes. With Ozone, we have moved away to using data node
-certificates. That is, Kerberos on data nodes is not needed in case of a
+the datanodes. With Ozone, we have moved away to using datanode
+certificates. That is, Kerberos on datanodes is not needed in case of a
 secure Ozone cluster.
 
 However, we support the legacy Kerberos based Authentication to make it easy
@@ -40,34 +40,34 @@ hdds.datanode.http.kerberos.principal| Datanode http server service principal.
 hdds.datanode.http.kerberos.keytab| The keytab file used by datanode http server to login as its service principal.
 
 
-## How a data node becomes secure.
+## How a datanode becomes secure.
 
-Under Ozone, when a data node boots up and discovers SCM's address, the first
-thing that data node does is to create a private key and send a certificate
+Under Ozone, when a datanode boots up and discovers SCM's address, the first
+thing that datanode does is to create a private key and send a certificate
 request to the SCM.
 
 <h3>Certificate Approval via Kerberos <span class="badge badge-secondary">Current Model</span></h3>
-SCM has a built-in CA, and SCM has to approve this request. If the data node
+SCM has a built-in CA, and SCM has to approve this request. If the datanode
 already has a Kerberos key tab, then SCM will trust Kerberos credentials and
 issue a certificate automatically.
 
 
 <h3>Manual Approval <span class="badge badge-primary">In Progress</span></h3>
-If these are band new data nodes and Kerberos key tabs are not present at the
-data nodes, then this request for the data nodes identity certificate is
+If these are brand new datanodes and Kerberos key tabs are not present at the
+datanodes, then this request for the datanodes identity certificate is
 queued up for approval from the administrator(This is work in progress,
-not committed in Ozone yet). In other words, the web of trust is established
+not committed in Ozone yet). In other words, the chain of trust is established
 by the administrator of the cluster.
 
 <h3>Automatic Approval <span class="badge badge-secondary">In Progress</span></h3>
 If you running under an container orchestrator like  Kubernetes, we rely on
-Kubernetes to create a one-time token that will be given to data node during
-boot time to prove the identity of the data node container (This is also work
+Kubernetes to create a one-time token that will be given to datanode during
+boot time to prove the identity of the datanode container (This is also work
 in progress.)
 
 
-Once a certificate is issued, a data node is secure and Ozone manager can
-issue block tokens. If there is no data node certificates or the SCM's root
-certificate is not present in the data node, then data node will register
-itself and down load the SCM's root certificate as well get the certificates
+Once a certificate is issued, a datanode is secure and Ozone manager can
+issue block tokens. If there is no datanode certificates or the SCM's root
+certificate is not present in the datanode, then datanode will register
+itself and download the SCM's root certificate as well get the certificates
 for itself.
diff --git a/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md b/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
index 414adb2400e9..d05354804406 100644
--- a/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
+++ b/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
@@ -23,7 +23,7 @@ icon: th
 -->
 
 
-过去，Hadoop 中 datanode 的安全机制是通过在节点上创建 Keytab 文件实现的，而 Ozone 改用 datanode 证书，在安全的 Ozone 集群中，datanode 不再需要 Kerberos。
+Hadoop 中 datanode 的安全机制是通过给每个节点创建 Keytab 文件实现的。Ozone 的 datanode 安全机制不依赖 Kerberos，而是改用 datanode 证书。
 
 但是我们也支持传统的基于 Kerberos 的认证来方便现有用户，用户只需要在 hdfs-site.xml 里配置下面参数即可：
 
@@ -32,19 +32,19 @@ icon: th
 dfs.datanode.kerberos.principal| datanode 的服务主体名 <br/> 比如：dn/_HOST@REALM.COM
 dfs.datanode.keytab.file| datanode 进程所使用的 keytab 文件
 hdds.datanode.http.kerberos.principal| datanode http 服务器的服务主体名
-hdds.datanode.http.kerberos.keytab| datanode http 服务器所使用的 keytab 文件
+hdds.datanode.http.kerberos.keytab| datanode http 服务器的服务主体登录所使用的 keytab 文件
 
 
 ## 如何安全化 datanode
 
-在 Ozone 中，当 datanode 启动并发现 SCM 的地址之后，datanode 要做的第一件事就是创建私钥并向 SCM 发送证书请求。
+在 Ozone 中，当 datanode 启动并发现 SCM 的地址之后，datanode 首先创建私钥并向 SCM 发送证书请求。
 
 <h3>通过 Kerberos 颁发证书<span class="badge badge-secondary">当前模型</span></h3>
 SCM 有一个内置的 CA 用来批准证书请求，如果 datanode 已经有一个 Kerberos keytab，SCM 会信任它并自动颁发一个证书。
 
 
 <h3>手动颁发<span class="badge badge-primary">开发中</span></h3>
-如果 datanode 是新加入的并且没有 keytab，那么证书请求需要等待管理员的批准。换句话说，信任关系链由集群管理员建立。
+如果 datanode 是新加入的并且没有 keytab，那么证书请求需要等待管理员的批（手动批准功能尚未完全支持）。换句话说，信任关系链由集群管理员建立。
 
 <h3>自动颁发 <span class="badge badge-secondary">开发中</span></h3>
 如果你通过 Kubernetes 这样的容器编排软件运行 Ozone，Kubernetes 需要为 datanode 创建一次性 token，用于在启动阶段证明 datanode 容器的身份。（这个特性也正在开发中。）

From a01b99140eeefa6fe50f33d66520cb37f25f0fe9 Mon Sep 17 00:00:00 2001
From: Siyao Meng <50227127+smengcl@users.noreply.github.com>
Date: Thu, 9 Jul 2020 14:41:48 -0700
Subject: [PATCH 3/6] Update SecuringDatanodes.zh.md

hdds.datanode.http.kerberos.principal -> hdds.datanode.http.auth.kerberos.principal

hdds.datanode.http.kerberos.keytab -> hdds.datanode.http.auth.kerberos.keytab
---
 hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md b/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
index d05354804406..6f7b6da1cb3c 100644
--- a/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
+++ b/hadoop-hdds/docs/content/security/SecuringDatanodes.zh.md
@@ -31,8 +31,8 @@ Hadoop 中 datanode 的安全机制是通过给每个节点创建 Keytab 文件
 --------|--------------
 dfs.datanode.kerberos.principal| datanode 的服务主体名 <br/> 比如：dn/_HOST@REALM.COM
 dfs.datanode.keytab.file| datanode 进程所使用的 keytab 文件
-hdds.datanode.http.kerberos.principal| datanode http 服务器的服务主体名
-hdds.datanode.http.kerberos.keytab| datanode http 服务器的服务主体登录所使用的 keytab 文件
+hdds.datanode.http.auth.kerberos.principal| datanode http 服务器的服务主体名
+hdds.datanode.http.auth.kerberos.keytab| datanode http 服务器的服务主体登录所使用的 keytab 文件
 
 
 ## 如何安全化 datanode

From c13475a914c9def798c176bb9eb8e0dce71644d3 Mon Sep 17 00:00:00 2001
From: Siyao Meng <50227127+smengcl@users.noreply.github.com>
Date: Thu, 9 Jul 2020 14:43:06 -0700
Subject: [PATCH 4/6] Update SecuringDatanodes.md

hdds.datanode.http.kerberos.principal -> hdds.datanode.http.auth.kerberos.principal
hdds.datanode.http.kerberos.keytab -> hdds.datanode.http.auth.kerberos.keytab
---
 hadoop-hdds/docs/content/security/SecuringDatanodes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdds/docs/content/security/SecuringDatanodes.md b/hadoop-hdds/docs/content/security/SecuringDatanodes.md
index 950b3b9646e9..b9dd1cc3dc09 100644
--- a/hadoop-hdds/docs/content/security/SecuringDatanodes.md
+++ b/hadoop-hdds/docs/content/security/SecuringDatanodes.md
@@ -36,8 +36,8 @@ Property|Description
 --------|--------------
 dfs.datanode.kerberos.principal|The datanode service principal. <br/> e.g. dn/_HOST@REALM.COM
 dfs.datanode.keytab.file| The keytab file used by datanode daemon to login as its service principal.
-hdds.datanode.http.kerberos.principal| Datanode http server service principal.
-hdds.datanode.http.kerberos.keytab| The keytab file used by datanode http server to login as its service principal.
+hdds.datanode.http.auth.kerberos.principal| Datanode http server service principal.
+hdds.datanode.http.auth.kerberos.keytab| The keytab file used by datanode http server to login as its service principal.
 
 
 ## How a datanode becomes secure.

From b7b69cda2d603d1f10d6be9cd24fd9d699bfc148 Mon Sep 17 00:00:00 2001
From: GitHub actions <noreply@github.com>
Date: Thu, 9 Jul 2020 23:01:57 +0000
Subject: [PATCH 5/6] empty commit to retest build


From c7ea4cbaaa8b643a211217aed3ca6382e5ba7013 Mon Sep 17 00:00:00 2001
From: cxorm <lianp964@gmail.com>
Date: Tue, 22 Sep 2020 20:46:57 +0800
Subject: [PATCH 6/6] trigger new CI check

