Configuring Ozone SecurityPDF version

Kerberos principal and keytab properties for Ozone service daemons

For the Kerberos-authenticated users or client applications to access Ozone, each of the Ozone components requires a Kerberos service principal name and a corresponding kerberos keytab file. You must set the corresponding in ozone-site.xml.

The following are the properties for the Kerberos service principal and the keytab file that you must set for the different Ozone components:
Property Description
hdds.scm.kerberos.principal The SCM service principal. You can specify this value, for example, in the following format:
scm/_HOST@REALM.COM
hdds.scm.kerberos.keytab.file The keytab file that the SCM daemon uses to log in as its service principal.
hdds.scm.http.auth.kerberos.principal The service principal of the SCM HTTP server.
hdds.scm.http.auth.kerberos.keytab The keytab file that the SCM HTTP server uses to log in as its service principal.
Property Description
ozone.om.kerberos.principal The Ozone Manager service principal. You can specify this value, for example, in the following format:
om/_HOST@REALM.COM
ozone.om.kerberos.keytab.file The keytab file that the Ozone Manager daemon uses to log in as its service principal.
ozone.om.http.auth.kerberos.principal The service principal of the Ozone Manager HTTP server.
ozone.om.http.auth.kerberos.keytab The keytab file that the Ozone Manager HTTP server uses to log in as its service principal.
Property Description
ozone.s3g.kerberos.principal The S3 Gateway principal. You can specify this value, for example, in the following format:
s3g/_HOST@REALM.COM
ozone.s3g.kerberos.keytab.file The keytab file used by S3Gateway daemon to login as its service principal. The principal name is configured with ozone.s3g.kerberos.principal.
ozone.s3g.http.auth.kerberos.principal

The server principal used by Ozone S3 Gateway server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix HTTP/ by convention.

ozone.s3g.http.auth.kerberos.keytab

The keytab file used by the S3 Gateway server to login as its service principal.

Property Description
ozone.recon.kerberos.principal The Recon web user service principal. You can specify this value, for example, in the following format:
recon/_HOST@REALM.COM
ozone.recon.kerberos.keytab.file The keytab file used by the Recon web user.
ozone.recon.http.auth.kerberos.principal

The server principal used by Ozone Recon server. This is typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix HTTP/ by convention.

ozone.recon.http.auth.kerberos.keytab The keytab file for HTTP Kerberos authentication in Recon.