HDDS-2766. security/SecuringDataNodes.md #1175
Conversation
|
|
||
|
|
||
| <h3>手动颁发<span class="badge badge-primary">开发中</span></h3> | ||
| 如果 datanode 是新加入的并且没有 keytab,那么证书请求需要等待管理员的批准。换句话说,信任关系链由集群管理员建立。 |
There was a problem hiding this comment.
Original doc says the web of trust, but according to my understanding, it is called chain of trust in PKI.
There was a problem hiding this comment.
A typo in origin doc maybe, 'band newshould bebrand new` ? If yes, should I fix it in this PR or open a new one ?
There was a problem hiding this comment.
this should be "brand new" you can fix it in this one along with the CN doc.
There was a problem hiding this comment.
"chain of trust" is better, pls fix it in both EN and CN doc.
There was a problem hiding this comment.
那么证书请求需要等待管理员的批准(手动批准功能尚未完全支持)
|
@xiaoyuyao @cxorm Could you help review this ? Thanks. BTW, I cannot find request review button on this page. |
You can do that on the top right, "reviewers" button. The dropdown list allows you to select reviewers. |
| --> | ||
|
|
||
|
|
||
| 过去,Hadoop 中 datanode 的安全机制是通过在节点上创建 Keytab 文件实现的,而 Ozone 改用 datanode 证书,在安全的 Ozone 集群中,datanode 不再需要 Kerberos。 |
There was a problem hiding this comment.
Can we rephrase:
"过去,Hadoop 中 datanode 的安全机制是通过在节点上创建 Keytab 文件实现的,而 Ozone 改用 datanode 证书,在安全的 Ozone 集群中,datanode 不再需要 Kerberos。"
=>
"Hadoop 中 datanode 的安全机制是通过给每个节点创建 Keytab 文件实现的。 Ozone 的datanode安全机制不依赖Kerberos, 而是改用 datanode 证书。
| --------|-------------- | ||
| dfs.datanode.kerberos.principal| datanode 的服务主体名 <br/> 比如:dn/[email protected] | ||
| dfs.datanode.keytab.file| datanode 进程所使用的 keytab 文件 | ||
| hdds.datanode.http.kerberos.principal| datanode http 服务器的服务主体名 |
There was a problem hiding this comment.
hdds.datanode.http.kerberos.principal=>hdds.datanode.http.auth.kerberos.principal
There was a problem hiding this comment.
Is this a committed change ? I notice that it is still hdds.datanode.http.kerberos.principal in master branch.
There was a problem hiding this comment.
There was a problem hiding this comment.
Thanks for the link and commit. @smengcl
| dfs.datanode.kerberos.principal| datanode 的服务主体名 <br/> 比如:dn/[email protected] | ||
| dfs.datanode.keytab.file| datanode 进程所使用的 keytab 文件 | ||
| hdds.datanode.http.kerberos.principal| datanode http 服务器的服务主体名 | ||
| hdds.datanode.http.kerberos.keytab| datanode http 服务器所使用的 keytab 文件 |
There was a problem hiding this comment.
hdds.datanode.http.kerberos.keytab=>hdds.datanode.http.auth.kerberos.keytab
There was a problem hiding this comment.
datanode http 服务器所使用的 keytab 文件=>datanode http 服务器的服务主体登陆所使用的 keytab 文件
|
|
||
| ## 如何安全化 datanode | ||
|
|
||
| 在 Ozone 中,当 datanode 启动并发现 SCM 的地址之后,datanode 要做的第一件事就是创建私钥并向 SCM 发送证书请求。 |
There was a problem hiding this comment.
datanode 要做的第一件事就是创建私钥并向 SCM 发送证书请求-》datanode 首先创建私钥并向 SCM 发送证书请求。
| 如果你通过 Kubernetes 这样的容器编排软件运行 Ozone,Kubernetes 需要为 datanode 创建一次性 token,用于在启动阶段证明 datanode 容器的身份。(这个特性也正在开发中。) | ||
|
|
||
|
|
||
| 证书颁发后,datanode 的安全就得到了保障,并且 OM 可以颁发块 token。如果 datanode 没有证书或者 SCM 的根证书,datanode 会自动进行注册,下载 SCM 的根证书,并获取自己的证书。 |
There was a problem hiding this comment.
The original document has a typo here "down load" should be "download"
xiaoyuyao
left a comment
xiaoyuyao
left a comment
There was a problem hiding this comment.
LGTM overall, a few comments added inline.
I used to have that, but now it looks like this. |
hdds.datanode.http.kerberos.principal -> hdds.datanode.http.auth.kerberos.principal hdds.datanode.http.kerberos.keytab -> hdds.datanode.http.auth.kerberos.keytab
hdds.datanode.http.kerberos.principal -> hdds.datanode.http.auth.kerberos.principal hdds.datanode.http.kerberos.keytab -> hdds.datanode.http.auth.kerberos.keytab
|
/retest |
|
Thanks @iamabug for the work, |
|
Thanks @iamabug for the contribution. |
* master: HDDS-4102. Normalize Keypath for lookupKey. (apache#1328) HDDS-4263. ReplicatiomManager shouldn't consider origin node Id for CLOSED containers. (apache#1438) HDDS-4282. Improve the emptyDir syntax (apache#1450) HDDS-4194. Create a script to check AWS S3 compatibility (apache#1383) HDDS-4270. Add more reusable byteman scripts to debug ofs/o3fs performance (apache#1443) HDDS-2660. Create insight point for datanode container protocol (apache#1272) HDDS-3297. Enable TestOzoneClientKeyGenerator. (apache#1442) HDDS-4324. Add important comment to ListVolumes logic (apache#1417) HDDS-4236. Move "Om*Codec.java" to new project hadoop-ozone/interface-storage (apache#1424) HDDS-4254. Bucket space: add usedBytes and update it when create and delete key. (apache#1431) HDDS-2766. security/SecuringDataNodes.md (apache#1175) HDDS-4206. Attempt pipeline creation more frequently in acceptance tests (apache#1389) HDDS-4233. Interrupted exeception printed out from DatanodeStateMachine (apache#1416) HDDS-3947: Sort DNs for client when the key is a file for #getFileStatus #listStatus APIs (apache#1385) HDDS-3102. ozone getconf command should use the GenericCli parent class (apache#1410) HDDS-3981. Add more debug level log to XceiverClientGrpc for debug purpose (apache#1214) HDDS-4255. Remove unused Ant and Jdiff dependency versions (apache#1433) HDDS-4247. Fixed log4j usage in some places (apache#1426) HDDS-4241. Support HADOOP_TOKEN_FILE_LOCATION for Ozone token CLI. (apache#1422)
* HDDS-4122-remove-code-consolidation: (21 commits) Restore files that had deduplicated code from master Revert other delete request/response files back to their original states on master HDDS-4102. Normalize Keypath for lookupKey. (apache#1328) HDDS-4263. ReplicatiomManager shouldn't consider origin node Id for CLOSED containers. (apache#1438) HDDS-4282. Improve the emptyDir syntax (apache#1450) HDDS-4194. Create a script to check AWS S3 compatibility (apache#1383) HDDS-4270. Add more reusable byteman scripts to debug ofs/o3fs performance (apache#1443) HDDS-2660. Create insight point for datanode container protocol (apache#1272) HDDS-3297. Enable TestOzoneClientKeyGenerator. (apache#1442) HDDS-4324. Add important comment to ListVolumes logic (apache#1417) HDDS-4236. Move "Om*Codec.java" to new project hadoop-ozone/interface-storage (apache#1424) HDDS-4254. Bucket space: add usedBytes and update it when create and delete key. (apache#1431) HDDS-2766. security/SecuringDataNodes.md (apache#1175) HDDS-4206. Attempt pipeline creation more frequently in acceptance tests (apache#1389) HDDS-4233. Interrupted exeception printed out from DatanodeStateMachine (apache#1416) HDDS-3947: Sort DNs for client when the key is a file for #getFileStatus #listStatus APIs (apache#1385) HDDS-3102. ozone getconf command should use the GenericCli parent class (apache#1410) HDDS-3981. Add more debug level log to XceiverClientGrpc for debug purpose (apache#1214) HDDS-4255. Remove unused Ant and Jdiff dependency versions (apache#1433) HDDS-4247. Fixed log4j usage in some places (apache#1426) ...
|
Hi @iamabug , Can I get your email address? you can sent it to [email protected]. |
Hi @ChenSammi , my email is [email protected] |
7 participants
What changes were proposed in this pull request?
translation to doc https://hadoop.apache.org/ozone/docs/0.5.0-beta/security/securingdatanodes.html
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-2766
How was this patch tested?
hugo server