Securing HTTP

This document describes how to configure Ozone HTTP web-consoles to require user authentication.

Default authentication

By default Ozone HTTP web-consoles (OM, SCM, S3G, Recon, Datanode) allow access without authentication based on the following default configurations.

PropertyValue
ozone.security.http.kerberos.enabledfalse
ozone.http.filter.initializers

If you have an SPNEGO enabled Ozone cluster and want to disable it for all Ozone services, just make sure the two key mentioned are configured as above.

Kerberos based SPNEGO authentication

However, they can be configured to require Kerberos authentication using HTTP SPNEGO protocol (supported by browsers like Firefox and Chrome). To achieve that, the following keys must be configured first.

PropertyValue
hadoop.security.authenticationkerberos
ozone.security.http.kerberos.enabledtrue
ozone.http.filter.initializersorg.apache.hadoop.security.AuthenticationFilterInitializer

After that, individual component needs to configure properly to completely enable SPNEGO or SIMPLE authentication.

Enable SPNEGO authentication for OM HTTP

PropertyValue
ozone.om.http.auth.typekerberos
ozone.om.http.auth.kerberos.principalHTTP/_HOST@REALM
ozone.om.http.auth.kerberos.keytab/path/to/HTTP.keytab

Enable SPNEGO authentication for S3G HTTP

PropertyValue
ozone.s3g.http.auth.typekerberos
ozone.s3g.http.auth.kerberos.principalHTTP/_HOST@REALM
ozone.s3g.http.auth.kerberos.keytab/path/to/HTTP.keytab

Enable SPNEGO authentication for RECON HTTP

PropertyValue
ozone.recon.http.auth.typekerberos
ozone.recon.http.auth.kerberos.principalHTTP/_HOST@REALM
ozone.recon.http.auth.kerberos.keytab/path/to/HTTP.keytab

Enable SPNEGO authentication for SCM HTTP

PropertyValue
hdds.scm.http.auth.typekerberos
hdds.scm.http.auth.kerberos.principalHTTP/_HOST@REALM
hdds.scm.http.auth.kerberos.keytab/path/to/HTTP.keytab

Enable SPNEGO authentication for DATANODE HTTP

PropertyValue
hdds.datanode.http.auth.typekerberos
hdds.datanode.http.auth.kerberos.principalHTTP/_HOST@REALM
hdds.datanode.http.auth.kerberos.keytab/path/to/HTTP.keytab

Note: Ozone datanode does not have a default webpage, which prevents you from accessing “/” or “/index.html”. But it does provide standard servlet like jmx/conf/jstack via HTTP.

In addition, Ozone HTTP web-console support the equivalent of Hadoop’s Pseudo/Simple authentication. If this option is enabled, the user name must be specified in the first browser interaction using the user.name query string parameter. e.g., http://scm:9876/?user.name=scmadmin.

Enable SIMPLE authentication for OM HTTP

PropertyValue
ozone.om.http.auth.typesimple
ozone.om.http.auth.simple.anonymous_allowedfalse

If you don’t want to specify the user.name in the query string parameter, change ozone.om.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for S3G HTTP

PropertyValue
ozone.s3g.http.auth.typesimple
ozone.s3g.http.auth.simple.anonymous_allowedfalse

If you don’t want to specify the user.name in the query string parameter, change ozone.s3g.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for RECON HTTP

PropertyValue
ozone.recon.http.auth.typesimple
ozone.recon.http.auth.simple.anonymous_allowedfalse

If you don’t want to specify the user.name in the query string parameter, change ozone.recon.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for SCM HTTP

PropertyValue
hdds.scm.http.auth.typesimple
hdds.scm.http.auth.simple.anonymous_allowedfalse

If you don’t want to specify the user.name in the query string parameter, change hdds.scm.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for DATANODE HTTP

PropertyValue
hdds.datanode.http.auth.typesimple
hdds.datanode.http.auth.simple.anonymous_allowedfalse

If you don’t want to specify the user.name in the query string parameter, change hdds.datanode.http.auth.simple.anonymous_allowed to true.