From 1482468c81bffb25ae472da7b3bed346452cb8a2 Mon Sep 17 00:00:00 2001 From: "yiyang.zhou" Date: Wed, 13 Jan 2021 12:06:56 +0800 Subject: [PATCH 1/8] HDDS-2212. Genconf tool should generate config files for secure cluster setup --- .../GenerateOzoneRequiredConfigurations.java | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java index 94557cc1668b..750bcd77115a 100644 --- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java +++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java @@ -26,6 +26,7 @@ import org.apache.hadoop.ozone.OzoneConsts; import org.apache.hadoop.ozone.om.OMConfigKeys; import picocli.CommandLine.Command; +import picocli.CommandLine.Option; import picocli.CommandLine.Parameters; import picocli.CommandLine.PicocliException; @@ -61,6 +62,9 @@ public final class GenerateOzoneRequiredConfigurations extends GenericCli { description = "Directory path where ozone-site file should be generated.") private String path; + @Option(names = "--security", description = "Generate security config.") + private boolean genSecurityConf; + /** * Entry point for using genconf tool. * @@ -73,7 +77,7 @@ public static void main(String[] args) throws Exception { @Override public Void call() throws Exception { - generateConfigurations(path); + generateConfigurations(path, genSecurityConf); return null; } @@ -85,6 +89,19 @@ public Void call() throws Exception { */ public static void generateConfigurations(String path) throws PicocliException, JAXBException, IOException { + generateConfigurations(path, false); + } + + /** + * Generate ozone-site.xml at specified path. + * @param path + * @param genSecurityConf + * @throws PicocliException + * @throws JAXBException + */ + public static void generateConfigurations(String path, + boolean genSecurityConf) throws + PicocliException, JAXBException, IOException { if (!isValidPath(path)) { throw new PicocliException("Invalid directory path."); @@ -108,7 +125,8 @@ public static void generateConfigurations(String path) throws List requiredProperties = new ArrayList<>(); for (OzoneConfiguration.Property p : allProperties) { - if (p.getTag() != null && p.getTag().contains("REQUIRED")) { + if (p.getTag() != null && (p.getTag().contains("REQUIRED") || + (genSecurityConf && p.getTag().contains("SECURITY")))) { if (p.getName().equalsIgnoreCase( OzoneConfigKeys.OZONE_METADATA_DIRS)) { p.setValue(System.getProperty(OzoneConsts.JAVA_TMP_DIR)); @@ -124,9 +142,9 @@ public static void generateConfigurations(String path) throws } } - OzoneConfiguration.XMLConfiguration requiredConfig = + OzoneConfiguration.XMLConfiguration generatedConfig = new OzoneConfiguration.XMLConfiguration(); - requiredConfig.setProperties(requiredProperties); + generatedConfig.setProperties(requiredProperties); File output = new File(path, "ozone-site.xml"); if(output.createNewFile()){ @@ -134,7 +152,7 @@ public static void generateConfigurations(String path) throws JAXBContext.newInstance(OzoneConfiguration.XMLConfiguration.class); Marshaller m = context.createMarshaller(); m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); - m.marshal(requiredConfig, output); + m.marshal(generatedConfig, output); System.out.println("ozone-site.xml has been generated at " + path); } else { From 9ca993ae5a260da0d2484b3f1be7bffca200f6f5 Mon Sep 17 00:00:00 2001 From: "yiyang.zhou" Date: Thu, 21 Jan 2021 21:22:36 +0800 Subject: [PATCH 2/8] HDDS-2212. Fix genconfHelp() --- .../ozone/genconf/TestGenerateOzoneRequiredConfigurations.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java b/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java index 8a66a1443209..e897ba56ac05 100644 --- a/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java +++ b/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java @@ -242,7 +242,7 @@ public void genconfPathNotSpecified() throws Exception { public void genconfHelp() throws Exception { File tempPath = getRandomTempDir(); String[] args = new String[]{"--help"}; - execute(args, "Usage: ozone genconf [-hV] [--verbose]"); + execute(args, "Usage: ozone genconf [-hV] [--security] [--verbose]"); } private File getRandomTempDir() throws IOException { From fce1bf98207d8a56e5359f47e6af87ed45ddfe1a Mon Sep 17 00:00:00 2001 From: Symious Date: Sat, 13 Feb 2021 17:39:07 +0800 Subject: [PATCH 3/8] HDDS-2212. Add the tag of KERBEROS for security configuration initialization --- .../apache/hadoop/ozone/OzoneConfigKeys.java | 2 + .../org/apache/hadoop/ozone/OzoneConsts.java | 8 + .../src/main/resources/ozone-default.xml | 140 ++++++++++++------ .../GenerateOzoneRequiredConfigurations.java | 20 ++- 4 files changed, 124 insertions(+), 46 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java index 199242632bf5..460803ef22b4 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java @@ -330,6 +330,8 @@ public final class OzoneConfigKeys { public static final String OZONE_HTTP_SECURITY_ENABLED_KEY = "ozone.security.http.kerberos.enabled"; public static final boolean OZONE_HTTP_SECURITY_ENABLED_DEFAULT = false; + public static final String OZONE_HTTP_FILTER_INITIALIZERS_KEY = + "ozone.http.filter.initializers"; public static final String OZONE_CONTAINER_COPY_WORKDIR = "hdds.datanode.replication.work.dir"; diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java index 0196725e1402..936861fc6783 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java @@ -430,4 +430,12 @@ private OzoneConsts() { public static final String SCM_SUB_CA_PREFIX = "scm-sub@"; public static final String SCM_ROOT_CA_PREFIX = "scm@"; + + // Kerberos constants + public static final String KERBEROS_CONFIG_VALUE = "kerberos"; + public static final String HTTP_AUTH_TYPE_SUFFIX = "http.auth.type"; + public static final String OZONE_SECURITY_ENABLED_SECURE = "true"; + public static final String OZONE_HTTP_SECURITY_ENABLED_SECURE = "true"; + public static final String OZONE_HTTP_FILTER_INITIALIZERS_SECURE = + "org.apache.hadoop.security.AuthenticationFilterInitializer"; } diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index ac8169e35c50..a4ef3cd48f26 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -434,7 +434,7 @@ ozone.om.service.ids - + OM, HA Comma-separated list of OM service Ids. This property allows the client @@ -443,7 +443,7 @@ ozone.om.internal.service.id - + OM, HA Service ID of the Ozone Manager. If this is not set fall back to @@ -452,7 +452,7 @@ ozone.om.nodes.EXAMPLEOMSERVICEID - + OM, HA Comma-separated list of OM node Ids for a given OM service ID (eg. @@ -470,7 +470,7 @@ ozone.om.node.id - + OM, HA The ID of this OM node. If the OM node ID is not configured it @@ -1262,7 +1262,7 @@ hdds.datanode.plugins - + Comma-separated list of HDDS datanode plug-ins to be activated when HDDS service starts as part of datanode. @@ -1454,6 +1454,37 @@ + + hdds.scm.kerberos.keytab.file + + SCM, SECURITY, KERBEROS + The keytab file used by SCM daemon to login as its service principal. + + + + hdds.scm.kerberos.principal + + SCM, SECURITY, KERBEROS + The SCM service principal. e.g. scm/_HOST@REALM.COM + + + hdds.scm.http.auth.kerberos.principal + HTTP/_HOST@REALM + SCM, SECURITY, KERBEROS + + SCM http server service principal if SPNEGO is enabled for SCM http server. + + + + hdds.scm.http.auth.kerberos.keytab + /path/to/HTTP.keytab + SCM, SECURITY, KERBEROS + + The keytab file used by SCM http server to login as its service + principal if SPNEGO is enabled for SCM http server. + + + ozone.s3g.volume.name s3v @@ -1519,8 +1550,8 @@ ozone.s3g.http.auth.kerberos.principal - - OZONE, S3GATEWAY + HTTP/_HOST@REALM + OZONE, S3GATEWAY, KERBEROS The server principal used by Ozone S3Gateway server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix @@ -1529,8 +1560,8 @@ ozone.s3g.http.auth.kerberos.keytab - - OZONE, S3GATEWAY + /path/to/HTTP.keytab + OZONE, S3GATEWAY, KERBEROS The keytab file used by the S3Gateway server to login as its service principal. @@ -1547,7 +1578,7 @@ ozone.security.enabled false - OZONE, SECURITY + OZONE, SECURITY, KERBEROS True if security is enabled for ozone. When this property is true, hadoop.security.authentication should be Kerberos. @@ -1555,13 +1586,23 @@ ozone.security.http.kerberos.enabled false - OZONE, SECURITY + OZONE, SECURITY, KERBEROS True if Kerberos authentication for Ozone HTTP web consoles is enabled using the SPNEGO protocol. When this property is true, hadoop.security.authentication should be Kerberos and ozone.security.enabled should be set to true. + + ozone.http.filter.initializers + + OZONE, SECURITY, KERBEROS + Set to org.apache.hadoop.security.AuthenticationFilterInitializer + to enable Kerberos authentication for Ozone HTTP web consoles + is enabled using the SPNEGO protocol. When this property is + set, ozone.security.http.kerberos.enabled should be set to true. + + @@ -1760,8 +1801,8 @@ ozone.om.kerberos.keytab.file - - OZONE, SECURITY + + OZONE, SECURITY, KERBEROS The keytab file used by OzoneManager daemon to login as its service principal. The principal name is configured with ozone.om.kerberos.principal. @@ -1769,22 +1810,25 @@ ozone.om.kerberos.principal - - OZONE, SECURITY + + OZONE, SECURITY, KERBEROS The OzoneManager service principal. Ex om/_HOST@REALM.COM ozone.om.http.auth.kerberos.principal - HTTP/_HOST@EXAMPLE.COM + HTTP/_HOST@REALM + OZONE, SECURITY, KERBEROS - OzoneManager http server kerberos principal. + Ozone Manager http server service principal if SPNEGO is enabled for om http server. ozone.om.http.auth.kerberos.keytab - /etc/security/keytabs/HTTP.keytab + /path/to/HTTP.keytab + OZONE, SECURITY, KERBEROS - OzoneManager http server kerberos keytab. + The keytab file used by OM http server to login as its service + principal if SPNEGO is enabled for om http server. @@ -2233,7 +2277,7 @@ ozone.freon.http.auth.kerberos.principal - HTTP/_HOST@EXAMPLE.COM + HTTP/_HOST@REALM SECURITY Security principal used by freon. @@ -2241,7 +2285,7 @@ ozone.freon.http.auth.kerberos.keytab - /etc/security/keytabs/HTTP.keytab + /path/to/HTTP.keytab SECURITY Keytab used by Freon. @@ -2295,16 +2339,16 @@ hdds.datanode.http.auth.kerberos.principal - HTTP/_HOST@EXAMPLE.COM - HDDS, SECURITY, MANAGEMENT + HTTP/_HOST@REALM + HDDS, SECURITY, MANAGEMENT, KERBEROS The kerberos principal for the datanode http server. hdds.datanode.http.auth.kerberos.keytab - /etc/security/keytabs/HTTP.keytab - HDDS, SECURITY, MANAGEMENT + /path/to/HTTP.keytab + HDDS, SECURITY, MANAGEMENT, KERBEROS The kerberos keytab file for datanode http server @@ -2429,31 +2473,31 @@ ozone.recon.http.auth.kerberos.keytab - - RECON, SECURITY + /path/to/HTTP.keytab + RECON, SECURITY, KERBEROS The keytab file for HTTP Kerberos authentication in Recon. ozone.recon.http.auth.kerberos.principal - - RECON + HTTP/_HOST@REALM + RECON, KERBEROS The server principal used by Ozone Recon server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix HTTP/ by convention. - hdds.datanode.http.auth.type + hdds.datanode.http.auth.type simple - DATANODE, SECURITY + DATANODE, SECURITY, KERBEROS simple or kerberos. If kerberos is set, Kerberos SPNEOGO will be used for http authentication. - ozone.freon.http.auth.type + ozone.freon.http.auth.type simple FREON, SECURITY simple or kerberos. If kerberos is set, Kerberos SPNEOGO @@ -2461,25 +2505,33 @@ - ozone.om.http.auth.type + ozone.om.http.auth.type simple - OM, SECURITY + OM, SECURITY, KERBEROS simple or kerberos. If kerberos is set, Kerberos SPNEOGO will be used for http authentication. - ozone.recon.http.auth.type + hdds.scm.http.auth.type simple - RECON, SECURITY + OM, SECURITY, KERBEROS simple or kerberos. If kerberos is set, Kerberos SPNEOGO will be used for http authentication. - ozone.s3g.http.auth.type + ozone.recon.http.auth.type simple - S3G, SECURITY + RECON, SECURITY, KERBEROS + simple or kerberos. If kerberos is set, Kerberos SPNEOGO + will be used for http authentication. + + + + ozone.s3g.http.auth.type + simple + S3G, SECURITY, KERBEROS simple or kerberos. If kerberos is set, Kerberos SPNEOGO will be used for http authentication. @@ -2633,7 +2685,7 @@ ozone.http.basedir - + OZONE, OM, SCM, MANAGEMENT The base dir for HTTP Jetty server to extract contents. If this property @@ -2694,14 +2746,14 @@ ssl.server.keystore.keypassword OZONE, SECURITY, MANAGEMENT - + Keystore key password for HTTPS SSL configuration ssl.server.keystore.location OZONE, SECURITY, MANAGEMENT - + Keystore location for HTTPS SSL configuration @@ -2709,7 +2761,7 @@ ssl.server.keystore.password OZONE, SECURITY, MANAGEMENT - + Keystore password for HTTPS SSL configuration @@ -2717,7 +2769,7 @@ ssl.server.truststore.location OZONE, SECURITY, MANAGEMENT - + Truststore location for HTTPS SSL configuration @@ -2725,7 +2777,7 @@ ssl.server.truststore.password OZONE, SECURITY, MANAGEMENT - + Truststore password for HTTPS SSL configuration diff --git a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java index 750bcd77115a..c5d4d156c8bf 100644 --- a/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java +++ b/hadoop-ozone/tools/src/main/java/org/apache/hadoop/ozone/genconf/GenerateOzoneRequiredConfigurations.java @@ -62,7 +62,8 @@ public final class GenerateOzoneRequiredConfigurations extends GenericCli { description = "Directory path where ozone-site file should be generated.") private String path; - @Option(names = "--security", description = "Generate security config.") + @Option(names = "--security", description = "Generates security config " + + "template, update Kerberos principal and keytab file before use.") private boolean genSecurityConf; /** @@ -126,7 +127,8 @@ public static void generateConfigurations(String path, for (OzoneConfiguration.Property p : allProperties) { if (p.getTag() != null && (p.getTag().contains("REQUIRED") || - (genSecurityConf && p.getTag().contains("SECURITY")))) { + (genSecurityConf && p.getTag().contains("KERBEROS")))) { + // Set default value for common required configs if (p.getName().equalsIgnoreCase( OzoneConfigKeys.OZONE_METADATA_DIRS)) { p.setValue(System.getProperty(OzoneConsts.JAVA_TMP_DIR)); @@ -138,6 +140,20 @@ public static void generateConfigurations(String path, p.setValue(OzoneConsts.LOCALHOST); } + // Set default value for KERBEROS configs + if (p.getName().equalsIgnoreCase( + OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY)) { + p.setValue(OzoneConsts.OZONE_SECURITY_ENABLED_SECURE); + } else if (p.getName().equalsIgnoreCase( + OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY)) { + p.setValue(OzoneConsts.OZONE_HTTP_SECURITY_ENABLED_SECURE); + } else if (p.getName().equalsIgnoreCase( + OzoneConfigKeys.OZONE_HTTP_FILTER_INITIALIZERS_KEY)) { + p.setValue(OzoneConsts.OZONE_HTTP_FILTER_INITIALIZERS_SECURE); + } else if (p.getName().endsWith(OzoneConsts.HTTP_AUTH_TYPE_SUFFIX)) { + p.setValue(OzoneConsts.KERBEROS_CONFIG_VALUE); + } + requiredProperties.add(p); } } From ceae548c7132fcd94c9c5b7abb12fc60c2f7f845 Mon Sep 17 00:00:00 2001 From: Symious Date: Sat, 13 Feb 2021 19:51:46 +0800 Subject: [PATCH 4/8] HDDS-2212. Add unit test and Fix TestConfigurationFieldsBase error --- .../src/main/resources/ozone-default.xml | 8 +-- .../ozone/TestOzoneConfigurationFields.java | 5 +- ...stGenerateOzoneRequiredConfigurations.java | 50 +++++++++++++++++++ 3 files changed, 58 insertions(+), 5 deletions(-) diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index a4ef3cd48f26..155d584d2f2c 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -1456,14 +1456,14 @@ hdds.scm.kerberos.keytab.file - + /path/to/SCM.keytab SCM, SECURITY, KERBEROS The keytab file used by SCM daemon to login as its service principal. hdds.scm.kerberos.principal - + SCM/_HOST@REALM SCM, SECURITY, KERBEROS The SCM service principal. e.g. scm/_HOST@REALM.COM @@ -1801,7 +1801,7 @@ ozone.om.kerberos.keytab.file - + /path/to/OM.keytab OZONE, SECURITY, KERBEROS The keytab file used by OzoneManager daemon to login as its service principal. The principal name is configured with @@ -1810,7 +1810,7 @@ ozone.om.kerberos.principal - + OM/_HOST@REALM OZONE, SECURITY, KERBEROS The OzoneManager service principal. Ex om/_HOST@REALM.COM diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java index 53b1a99c799a..508725dcd454 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java @@ -19,6 +19,7 @@ import org.apache.hadoop.conf.TestConfigurationFieldsBase; import org.apache.hadoop.hdds.HddsConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig; import org.apache.hadoop.ozone.om.OMConfigKeys; import org.apache.hadoop.hdds.scm.ScmConfigKeys; @@ -48,7 +49,9 @@ public void initializeMemberVariables() { OMConfigKeys.class, HddsConfigKeys.class, ReconServerConfigKeys.class, S3GatewayConfigKeys.class, - SCMHTTPServerConfig.class + SCMHTTPServerConfig.class, + SCMHTTPServerConfig.ConfigStrings.class, + ScmConfig.ConfigStrings.class }; errorIfMissingConfigProps = true; errorIfMissingXmlProps = true; diff --git a/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java b/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java index e897ba56ac05..2f4c4a8d743f 100644 --- a/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java +++ b/hadoop-ozone/tools/src/test/java/org/apache/hadoop/ozone/genconf/TestGenerateOzoneRequiredConfigurations.java @@ -181,6 +181,56 @@ public void testGenerateConfigurations() throws Exception { } } + /** + * Tests a valid path and generates secure ozone-site.xml by calling + * {@code GenerateOzoneRequiredConfigurations#generateConfigurations}. + * Further verifies that all properties have a default value. + * + * @throws Exception + */ + @Test + public void testGenerateSecurityConfigurations() throws Exception { + int ozoneConfigurationCount, ozoneSecurityConfigurationCount; + + // Generate default Ozone Configuration + File tempPath = getRandomTempDir(); + String[] args = new String[]{tempPath.getAbsolutePath()}; + execute(args, "ozone-site.xml has been generated at " + + tempPath.getAbsolutePath()); + + URL url = new File(tempPath.getAbsolutePath() + "/ozone-site.xml") + .toURI().toURL(); + OzoneConfiguration oc = new OzoneConfiguration(); + List allProperties = + oc.readPropertyFromXml(url); + + for (OzoneConfiguration.Property p : allProperties) { + Assert.assertTrue( + p.getValue() != null && p.getValue().length() > 0); + } + ozoneConfigurationCount = allProperties.size(); + + // Generate secure Ozone Configuration + tempPath = getRandomTempDir(); + args = new String[]{"--security", tempPath.getAbsolutePath()}; + execute(args, "ozone-site.xml has been generated at " + + tempPath.getAbsolutePath()); + + url = new File(tempPath.getAbsolutePath() + "/ozone-site.xml") + .toURI().toURL(); + oc = new OzoneConfiguration(); + allProperties = oc.readPropertyFromXml(url); + + for (OzoneConfiguration.Property p : allProperties) { + Assert.assertTrue( + p.getValue() != null && p.getValue().length() > 0); + } + ozoneSecurityConfigurationCount = allProperties.size(); + + Assert.assertNotEquals(ozoneConfigurationCount, + ozoneSecurityConfigurationCount); + } + /** * Generates ozone-site.xml at specified path. * Verify that it does not overwrite if file already exists in path. From a691eee2f3fca668d1ae50718beb217019dd5b08 Mon Sep 17 00:00:00 2001 From: Symious Date: Sun, 14 Feb 2021 12:49:59 +0800 Subject: [PATCH 5/8] HDDS-2212. Set default keytab dir to /etc/security/keytabs --- .../common/src/main/resources/ozone-default.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index 155d584d2f2c..1b4763f0a7a4 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -1456,7 +1456,7 @@ hdds.scm.kerberos.keytab.file - /path/to/SCM.keytab + /etc/security/keytabs/SCM.keytab SCM, SECURITY, KERBEROS The keytab file used by SCM daemon to login as its service principal. @@ -1477,7 +1477,7 @@ hdds.scm.http.auth.kerberos.keytab - /path/to/HTTP.keytab + /etc/security/keytabs/HTTP.keytab SCM, SECURITY, KERBEROS The keytab file used by SCM http server to login as its service @@ -1560,7 +1560,7 @@ ozone.s3g.http.auth.kerberos.keytab - /path/to/HTTP.keytab + /etc/security/keytabs/HTTP.keytab OZONE, S3GATEWAY, KERBEROS The keytab file used by the S3Gateway server to login as its service principal. @@ -1801,7 +1801,7 @@ ozone.om.kerberos.keytab.file - /path/to/OM.keytab + /etc/security/keytabs/OM.keytab OZONE, SECURITY, KERBEROS The keytab file used by OzoneManager daemon to login as its service principal. The principal name is configured with @@ -1824,7 +1824,7 @@ ozone.om.http.auth.kerberos.keytab - /path/to/HTTP.keytab + /etc/security/keytabs/HTTP.keytab OZONE, SECURITY, KERBEROS The keytab file used by OM http server to login as its service @@ -2285,7 +2285,7 @@ ozone.freon.http.auth.kerberos.keytab - /path/to/HTTP.keytab + /etc/security/keytabs/HTTP.keytab SECURITY Keytab used by Freon. @@ -2347,7 +2347,7 @@ hdds.datanode.http.auth.kerberos.keytab - /path/to/HTTP.keytab + /etc/security/keytabs/HTTP.keytab HDDS, SECURITY, MANAGEMENT, KERBEROS The kerberos keytab file for datanode http server @@ -2473,7 +2473,7 @@ ozone.recon.http.auth.kerberos.keytab - /path/to/HTTP.keytab + /etc/security/keytabs/HTTP.keytab RECON, SECURITY, KERBEROS The keytab file for HTTP Kerberos authentication in Recon. From 51b8e7659ea24f5c6f6dcd9d1d3b9099af66a0e4 Mon Sep 17 00:00:00 2001 From: Symious Date: Mon, 26 Apr 2021 16:34:58 +0800 Subject: [PATCH 6/8] HDDS-2212. Add SECURITY tag for some untagged lines --- hadoop-hdds/common/src/main/resources/ozone-default.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index 1b4763f0a7a4..9d2dceab4db9 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -1551,7 +1551,7 @@ ozone.s3g.http.auth.kerberos.principal HTTP/_HOST@REALM - OZONE, S3GATEWAY, KERBEROS + OZONE, S3GATEWAY, SECURITY, KERBEROS The server principal used by Ozone S3Gateway server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix @@ -1561,7 +1561,7 @@ ozone.s3g.http.auth.kerberos.keytab /etc/security/keytabs/HTTP.keytab - OZONE, S3GATEWAY, KERBEROS + OZONE, S3GATEWAY, SECURITY, KERBEROS The keytab file used by the S3Gateway server to login as its service principal. @@ -2482,7 +2482,7 @@ ozone.recon.http.auth.kerberos.principal HTTP/_HOST@REALM - RECON, KERBEROS + RECON, SECURITY, KERBEROS The server principal used by Ozone Recon server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix HTTP/ by convention. From 54d63649a8f7def0444b7c9f43e0d7d3a244df96 Mon Sep 17 00:00:00 2001 From: Symious Date: Mon, 26 Apr 2021 18:10:44 +0800 Subject: [PATCH 7/8] trigger new CI check From 4fa6094512b70d50d75b7e167aebeeaf9ad616f6 Mon Sep 17 00:00:00 2001 From: Symious Date: Mon, 26 Apr 2021 22:34:52 +0800 Subject: [PATCH 8/8] trigger new CI check