Securing DataNodes

You can secure Ozone DataNodes by creating keytab files on each of the DataNodes. You must ensure that certain properties are configured in hdfs-site.xml to provide the Kerberos-authenticated users or client applications with access to the DataNodes.

Configure the following parameters in hdfs-site.xml to enable DataNode access:
Property Description
dfs.datanode.kerberos.principal The DataNode service principal. You can specify this value, for example, in the following format:
dn/_HOST@REALM.COM
dfs.datanode.kerberos.keytab.file The keytab file that the DataNode daemon uses to log in as its service principal.
hdds.datanode.http.auth.kerberos.principal The service principal of the DataNode http server.
hdds.datanode.http.auth.kerberos.keytab The keytab file that the DataNode http server uses to log in as its service principal.

Certificate request and approval

When a DataNode boots up, it creates a private key and sends an DataNode identity certificate request to Storage Container Manager (SCM). If the DataNode has a Kerberos keytab, SCM trusts the Kerberos credentials and automatically issues a certificate.