hadoop-yetus commented on a change in pull request #687: HDDS-1329. Update documentation for Ozone-0.4.0 release. Contributed By Ajay Kumar. URL: https://github.com/apache/hadoop/pull/687#discussion_r271890312
########## File path: hadoop-hdds/docs/content/OzoneSecurityArchitecture.md ########## @@ -0,0 +1,83 @@ +--- +title: "Ozone Security Overview" +date: "2019-April-03" +menu: + main: + parent: Architecture +weight: 11 +--- +<!--- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +# Security in Ozone # + +Starting with badlands release (ozone-0.4.0-alpha) ozone cluster can be secured against external threats. Specifically it can be configured for following security features: + +1. Authentication +2. Authorization +3. Audit +4. Transparent Data Encryption (TDE) + +## Authentication ## + +### Kerberos ### +Similar to hadoop, Ozone allows kerberos-based authentication. So one way to setup identities for all the daemons and clients is to create kerberos keytabs and configure it like any other service in hadoop. + +### Tokens ### +Tokens are widely used in Hadoop to achieve lightweight authentication without compromising on security. Main motivation for using tokens inside Ozone is to prevent the unauthorized access while keeping the protocol lightweight and without sharing secret over the wire. Ozone utilizes three types of token: + +#### Delegation token #### +Once client establishes their identity via kerberos they can request a delegation token from OzoneManager. This token can be used by a client to prove its identity until the token expires. Like Hadoop delegation tokens, an Ozone delegation token has 3 important fields: + +Renewer: User responsible for renewing the token. +Issue date: Time at which token was issued. +Max date: Time after which token can’t be renewed. Review comment: whitespace:end of line ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
