Securing Datanodes

Datanodes under Hadoop is traditionally secured by creating a Keytab file on the datanodes. With Ozone, we have moved away to using datanode certificates. That is, Kerberos on datanodes is not needed in case of a secure Ozone cluster.

However, we support the legacy Kerberos based Authentication to make it easy for the current set of users.The HDFS configuration keys are the following that is setup in hdfs-site.xml.

PropertyDescription
dfs.datanode.kerberos.principalThe datanode service principal.
e.g. dn/_HOST@REALM.COM
dfs.datanode.keytab.fileThe keytab file used by datanode daemon to login as its service principal.
hdds.datanode.http.auth.kerberos.principalDatanode http server service principal.
hdds.datanode.http.auth.kerberos.keytabThe keytab file used by datanode http server to login as its service principal.

How a datanode becomes secure.

Under Ozone, when a datanode boots up and discovers SCM’s address, the first thing that datanode does is to create a private key and send a certificate request to the SCM.

Certificate Approval via Kerberos Current Model

SCM has a built-in CA, and SCM has to approve this request. If the datanode already has a Kerberos key tab, then SCM will trust Kerberos credentials and issue a certificate automatically.

Manual Approval In Progress

If these are brand new datanodes and Kerberos key tabs are not present at the datanodes, then this request for the datanodes identity certificate is queued up for approval from the administrator(This is work in progress, not committed in Ozone yet). In other words, the chain of trust is established by the administrator of the cluster.

Automatic Approval In Progress

If you running under an container orchestrator like Kubernetes, we rely on Kubernetes to create a one-time token that will be given to datanode during boot time to prove the identity of the datanode container (This is also work in progress.)

Once a certificate is issued, a datanode is secure and Ozone manager can issue block tokens. If there is no datanode certificates or the SCM’s root certificate is not present in the datanode, then datanode will register itself and download the SCM’s root certificate as well get the certificates for itself.

Next >>