Kerberos principal and keytab properties for Ozone service daemons
For the Kerberos-authenticated users or client applications to access Ozone, each of
the Ozone components requires a Kerberos service principal name and a corresponding kerberos
keytab file. You must set the corresponding in ozone-site.xml.
The following are the properties for the Kerberos service
principal and the keytab file that you must set for the different Ozone
components:
Storage Container Manager (SCM) properties🔗
Property
Description
hdds.scm.kerberos.principal
The SCM service principal. You can specify this value, for example, in
the following format:
scm/_HOST@REALM.COM
hdds.scm.kerberos.keytab.file
The keytab file that the SCM daemon uses to log in as its service
principal.
hdds.scm.http.kerberos.principal
The service principal of the SCM http server.
hdds.scm.http.kerberos.keytab
The keytab file that the SCM http server uses to log in as its service
principal.
Ozone Manager (OM) properties🔗
Property
Description
ozone.om.kerberos.principal
The Ozone Manager service principal. You can specify this value, for
example, in the following
format:
om/_HOST@REALM.COM
ozone.om.kerberos.keytab.file
The keytab file that the Ozone Manager daemon uses to log in as its
service principal.
ozone.om.http.kerberos.principal
The service principal of the Ozone Manager http server.
ozone.om.http.kerberos.keytab
The keytab file that the Ozone Manager http server uses to log in as
its service principal.
S3 Gateway properties🔗
Property
Description
ozone.s3g.authentication.kerberos.principal
The S3 Gateway principal. You can specify this value, for example, in
the following format:
HTTP/_HOST@EXAMPLE.COM
ozone.s3g.keytab.file
The keytab file used by the S3 Gateway.
Recon properties🔗
Property
Description
ozone.recon.authentication.kerberos.principal
The service principal for the Recon http server.
ozone.recon.http.kerberos.keytab.file
The keytab file used by the Recon http server to log on as the service
principal.