Kerberos principal and keytab properties for Ozone service daemons
For the Kerberos-authenticated users or client applications to access Ozone, each of
the Ozone components requires a Kerberos service principal name and a corresponding kerberos
keytab file. You must set the corresponding in ozone-site.xml
.
Storage Container Manager (SCM) properties
Property | Description |
---|---|
hdds.scm.kerberos.principal |
The SCM service principal. You can specify this value, for example, in
the following format: scm/_HOST@REALM.COM |
hdds.scm.kerberos.keytab.file |
The keytab file that the SCM daemon uses to log in as its service principal. |
hdds.scm.http.auth.kerberos.principal |
The service principal of the SCM HTTP server. |
hdds.scm.http.auth.kerberos.keytab |
The keytab file that the SCM HTTP server uses to log in as its service principal. |
Ozone Manager (OM) properties
Property | Description |
---|---|
ozone.om.kerberos.principal |
The Ozone Manager service principal. You can specify this value, for
example, in the following
format:om/_HOST@REALM.COM |
ozone.om.kerberos.keytab.file |
The keytab file that the Ozone Manager daemon uses to log in as its service principal. |
ozone.om.http.auth.kerberos.principal |
The service principal of the Ozone Manager HTTP server. |
ozone.om.http.auth.kerberos.keytab |
The keytab file that the Ozone Manager HTTP server uses to log in as its service principal. |
S3 Gateway properties
Property | Description |
---|---|
ozone.s3g.kerberos.principal |
The S3 Gateway principal. You can specify this value, for example, in
the following format:s3g/_HOST@REALM.COM |
ozone.s3g.kerberos.keytab.file |
The keytab file used by S3Gateway daemon to login as its service principal. The principal name is configured with ozone.s3g.kerberos.principal. |
ozone.s3g.http.auth.kerberos.principal |
The server principal used by Ozone S3 Gateway server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix HTTP/ by convention. |
ozone.s3g.http.auth.kerberos.keytab |
The keytab file used by the S3 Gateway server to login as its service principal. |
Recon properties
Property | Description |
---|---|
ozone.recon.kerberos.principal |
The Recon web user service principal. You can specify this value, for
example, in the following
format:recon/_HOST@REALM.COM |
ozone.recon.kerberos.keytab.file |
The keytab file used by the Recon web user. |
ozone.recon.http.auth.kerberos.principal |
The server principal used by Ozone Recon server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix HTTP/ by convention. |
ozone.recon.http.auth.kerberos.keytab |
The keytab file for HTTP Kerberos authentication in Recon. |