Securing DataNodes
You can secure Ozone DataNodes by creating keytab files on each of the DataNodes. You
must ensure that certain properties are configured in hdfs-site.xml
to
provide the Kerberos-authenticated users or client applications with access to the
DataNodes.
Configure the following parameters in
hdfs-site.xml
to enable DataNode
access:Property | Description |
---|---|
dfs.datanode.kerberos.principal |
The DataNode service principal. You can specify this value, for
example, in the following
format:
|
dfs.datanode.keytab.file |
The keytab file that the DataNode daemon uses to log in as its service principal. |
hdds.datanode.http.kerberos.principal |
The service principal of the DataNode http server. |
hdds.datanode.http.kerberos.keytab |
The keytab file that the DataNode http server uses to log in as its service principal. |
Certificate request and approval
When a DataNode boots up, it creates a private key and sends an DataNode identity certificate request to Storage Container Manager (SCM). If the DataNode has a Kerberos keytab, SCM trusts the Kerberos credentials and automatically issues a certificate.