HDDS-2212. Genconf tool should generate config files for secure clust…

hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java

@@ -330,6 +330,8 @@ public final class OzoneConfigKeys {
   public static final String OZONE_HTTP_SECURITY_ENABLED_KEY =
       "ozone.security.http.kerberos.enabled";
   public static final boolean OZONE_HTTP_SECURITY_ENABLED_DEFAULT = false;
+  public static final String OZONE_HTTP_FILTER_INITIALIZERS_KEY =
+      "ozone.http.filter.initializers";
 
   public static final String OZONE_CONTAINER_COPY_WORKDIR =
       "hdds.datanode.replication.work.dir";

hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConsts.java

@@ -430,4 +430,12 @@ private OzoneConsts() {
 
   public static final String SCM_SUB_CA_PREFIX = "scm-sub@";
   public static final String SCM_ROOT_CA_PREFIX = "scm@";
+
+  // Kerberos constants
+  public static final String KERBEROS_CONFIG_VALUE = "kerberos";
+  public static final String HTTP_AUTH_TYPE_SUFFIX = "http.auth.type";
+  public static final String OZONE_SECURITY_ENABLED_SECURE = "true";
+  public static final String OZONE_HTTP_SECURITY_ENABLED_SECURE = "true";
+  public static final String OZONE_HTTP_FILTER_INITIALIZERS_SECURE =
+      "org.apache.hadoop.security.AuthenticationFilterInitializer";
 }

hadoop-hdds/common/src/main/resources/ozone-default.xml

@@ -434,7 +434,7 @@
   </property>
   <property>
     <name>ozone.om.service.ids</name>
-    <value></value>
+    <value/>
     <tag>OM, HA</tag>
     <description>
       Comma-separated list of OM service Ids. This property allows the client
@@ -443,7 +443,7 @@
   </property>
   <property>
     <name>ozone.om.internal.service.id</name>
-    <value></value>
+    <value/>
     <tag>OM, HA</tag>
     <description>
       Service ID of the Ozone Manager. If this is not set fall back to
@@ -452,7 +452,7 @@
   </property>
   <property>
     <name>ozone.om.nodes.EXAMPLEOMSERVICEID</name>
-    <value></value>
+    <value/>
     <tag>OM, HA</tag>
     <description>
       Comma-separated list of OM node Ids for a given OM service ID (eg.
@@ -470,7 +470,7 @@
   </property>
   <property>
     <name>ozone.om.node.id</name>
-    <value></value>
+    <value/>
     <tag>OM, HA</tag>
     <description>
       The ID of this OM node. If the OM node ID is not configured it
@@ -1262,7 +1262,7 @@
 
   <property>
     <name>hdds.datanode.plugins</name>
-    <value></value>
+    <value/>
     <description>
       Comma-separated list of HDDS datanode plug-ins to be activated when
       HDDS service starts as part of datanode.
@@ -1454,6 +1454,37 @@
     </description>
   </property>
 
+  <property>
+    <name>hdds.scm.kerberos.keytab.file</name>
+    <value>/etc/security/keytabs/SCM.keytab</value>
+    <tag>SCM, SECURITY, KERBEROS</tag>
+    <description> The keytab file used by SCM daemon to login as its service principal.
+    </description>
+  </property>
+  <property>
+    <name>hdds.scm.kerberos.principal</name>
+    <value>SCM/_HOST@REALM</value>
+    <tag>SCM, SECURITY, KERBEROS</tag>
+    <description>The SCM service principal. e.g. scm/[email protected]</description>
+  </property>
+  <property>
+    <name>hdds.scm.http.auth.kerberos.principal</name>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>SCM, SECURITY, KERBEROS</tag>
+    <description>
+      SCM http server service principal if SPNEGO is enabled for SCM http server.
+    </description>
+  </property>
+  <property>
+    <name>hdds.scm.http.auth.kerberos.keytab</name>
+    <value>/etc/security/keytabs/HTTP.keytab</value>
+    <tag>SCM, SECURITY, KERBEROS</tag>
+    <description>
+      The keytab file used by SCM http server to login as its service
+      principal if SPNEGO is enabled for SCM http server.
+    </description>
+  </property>
+
   <property>
     <name>ozone.s3g.volume.name</name>
     <value>s3v</value>
@@ -1519,8 +1550,8 @@
 
   <property>
     <name>ozone.s3g.http.auth.kerberos.principal</name>
-    <value/>
-    <tag>OZONE, S3GATEWAY</tag>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>OZONE, S3GATEWAY, SECURITY, KERBEROS</tag>
     <description>The server principal used by Ozone S3Gateway server. This is
       typically set to
       HTTP/[email protected] The SPNEGO server principal begins with the prefix
@@ -1529,8 +1560,8 @@
 
   <property>
     <name>ozone.s3g.http.auth.kerberos.keytab</name>
-    <value/>
-    <tag>OZONE, S3GATEWAY</tag>
+    <value>/etc/security/keytabs/HTTP.keytab</value>
+    <tag>OZONE, S3GATEWAY, SECURITY, KERBEROS</tag>
     <description>The keytab file used by the S3Gateway server to login as its
       service principal. </description>
   </property>
@@ -1547,21 +1578,31 @@
   <property>
     <name>ozone.security.enabled</name>
     <value>false</value>
-    <tag>OZONE, SECURITY</tag>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>True if security is enabled for ozone. When this property is
      true, hadoop.security.authentication should be Kerberos.
     </description>
   </property>
   <property>
     <name>ozone.security.http.kerberos.enabled</name>
     <value>false</value>
-    <tag>OZONE, SECURITY</tag>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>True if Kerberos authentication for Ozone HTTP web consoles
       is enabled using the SPNEGO protocol. When this property is
       true, hadoop.security.authentication should be Kerberos and
       ozone.security.enabled should be set to true.
     </description>
   </property>
+  <property>
+    <name>ozone.http.filter.initializers</name>
+    <value/>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
+    <description>Set to org.apache.hadoop.security.AuthenticationFilterInitializer
+      to enable Kerberos authentication for Ozone HTTP web consoles
+      is enabled using the SPNEGO protocol. When this property is
+      set, ozone.security.http.kerberos.enabled should be set to true.
+    </description>
+  </property>
 
 
   <property>
@@ -1760,31 +1801,34 @@
   </property>
   <property>
     <name>ozone.om.kerberos.keytab.file</name>
-    <value></value>
-    <tag> OZONE, SECURITY</tag>
+    <value>/etc/security/keytabs/OM.keytab</value>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description> The keytab file used by OzoneManager daemon to login as its
       service principal. The principal name is configured with
       ozone.om.kerberos.principal.
     </description>
   </property>
   <property>
     <name>ozone.om.kerberos.principal</name>
-    <value></value>
-    <tag> OZONE, SECURITY</tag>
+    <value>OM/_HOST@REALM</value>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>The OzoneManager service principal. Ex om/[email protected]</description>
   </property>
   <property>
     <name>ozone.om.http.auth.kerberos.principal</name>
-    <value>HTTP/[email protected]</value>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>
-      OzoneManager http server kerberos principal.
+      Ozone Manager http server service principal if SPNEGO is enabled for om http server.
     </description>
   </property>
   <property>
     <name>ozone.om.http.auth.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
+    <tag>OZONE, SECURITY, KERBEROS</tag>
     <description>
-      OzoneManager http server kerberos keytab.
+      The keytab file used by OM http server to login as its service
+      principal if SPNEGO is enabled for om http server.
     </description>
   </property>
   <property>
@@ -2233,7 +2277,7 @@
   </property>
   <property>
     <name>ozone.freon.http.auth.kerberos.principal</name>
-    <value>HTTP/_HOST@EXAMPLE.COM</value>
+    <value>HTTP/_HOST@REALM</value>
     <tag>SECURITY</tag>
     <description>
      Security principal used by freon.
@@ -2295,16 +2339,16 @@
 
   <property>
     <name>hdds.datanode.http.auth.kerberos.principal</name>
-    <value>HTTP/_HOST@EXAMPLE.COM</value>
-    <tag>HDDS, SECURITY, MANAGEMENT</tag>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>HDDS, SECURITY, MANAGEMENT, KERBEROS</tag>
     <description>
       The kerberos principal for the datanode http server.
     </description>
   </property>
   <property>
     <name>hdds.datanode.http.auth.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
-    <tag>HDDS, SECURITY, MANAGEMENT</tag>
+    <tag>HDDS, SECURITY, MANAGEMENT, KERBEROS</tag>
     <description>
       The kerberos keytab file for datanode http server
     </description>
@@ -2429,57 +2473,65 @@
   </property>
   <property>
     <name>ozone.recon.http.auth.kerberos.keytab</name>
-    <value/>
-    <tag>RECON, SECURITY</tag>
+    <value>/etc/security/keytabs/HTTP.keytab</value>
+    <tag>RECON, SECURITY, KERBEROS</tag>
     <description>
       The keytab file for HTTP Kerberos authentication in Recon.
     </description>
   </property>
   <property>
     <name>ozone.recon.http.auth.kerberos.principal</name>
-    <value/>
-    <tag>RECON</tag>
+    <value>HTTP/_HOST@REALM</value>
+    <tag>RECON, SECURITY, KERBEROS</tag>
     <description>The server principal used by Ozone Recon server. This is
       typically set to HTTP/[email protected] The SPNEGO server principal
       begins with the prefix HTTP/ by convention.
     </description>
   </property>
   <property>
-    <name>hdds.datanode.http.auth.type </name>
+    <name>hdds.datanode.http.auth.type</name>
     <value>simple</value>
-    <tag>DATANODE, SECURITY</tag>
+    <tag>DATANODE, SECURITY, KERBEROS</tag>
     <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
       will be used for http authentication.
     </description>
   </property>
   <property>
-    <name>ozone.freon.http.auth.type </name>
+    <name>ozone.freon.http.auth.type</name>
     <value>simple</value>
     <tag>FREON, SECURITY</tag>
     <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
       will be used for http authentication.
     </description>
   </property>
   <property>
-    <name>ozone.om.http.auth.type </name>
+    <name>ozone.om.http.auth.type</name>
     <value>simple</value>
-    <tag>OM, SECURITY</tag>
+    <tag>OM, SECURITY, KERBEROS</tag>
+    <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
+      will be used for http authentication.
+    </description>
+  </property>
+  <property>
+    <name>hdds.scm.http.auth.type</name>
+    <value>simple</value>
+    <tag>OM, SECURITY, KERBEROS</tag>
     <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
       will be used for http authentication.
     </description>
   </property>
   <property>
-    <name>ozone.recon.http.auth.type </name>
+    <name>ozone.recon.http.auth.type</name>
     <value>simple</value>
-    <tag>RECON, SECURITY</tag>
+    <tag>RECON, SECURITY, KERBEROS</tag>
     <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
       will be used for http authentication.
     </description>
   </property>
   <property>
-    <name>ozone.s3g.http.auth.type </name>
+    <name>ozone.s3g.http.auth.type</name>
     <value>simple</value>
-    <tag>S3G, SECURITY</tag>
+    <tag>S3G, SECURITY, KERBEROS</tag>
     <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
       will be used for http authentication.
     </description>
@@ -2633,7 +2685,7 @@
   </property>
   <property>
     <name>ozone.http.basedir</name>
-    <value></value>
+    <value/>
     <tag>OZONE, OM, SCM, MANAGEMENT</tag>
     <description>
       The base dir for HTTP Jetty server to extract contents. If this property
@@ -2694,38 +2746,38 @@
   <property>
     <name>ssl.server.keystore.keypassword</name>
     <tag>OZONE, SECURITY, MANAGEMENT</tag>
-    <value></value>
+    <value/>
     <description>Keystore key password for HTTPS SSL configuration
     </description>
   </property>
   <property>
     <name>ssl.server.keystore.location</name>
     <tag>OZONE, SECURITY, MANAGEMENT</tag>
-    <value></value>
+    <value/>
     <description>
       Keystore location for HTTPS SSL configuration
     </description>
   </property>
   <property>
     <name>ssl.server.keystore.password</name>
     <tag>OZONE, SECURITY, MANAGEMENT</tag>
-    <value></value>
+    <value/>
     <description>
       Keystore password for HTTPS SSL configuration
     </description>
   </property>
   <property>
     <name>ssl.server.truststore.location</name>
     <tag>OZONE, SECURITY, MANAGEMENT</tag>
-    <value></value>
+    <value/>
     <description>
       Truststore location for HTTPS SSL configuration
     </description>
   </property>
   <property>
     <name>ssl.server.truststore.password</name>
     <tag>OZONE, SECURITY, MANAGEMENT</tag>
-    <value></value>
+    <value/>
     <description>
       Truststore password for HTTPS SSL configuration
     </description>

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java

@@ -19,6 +19,7 @@
 
 import org.apache.hadoop.conf.TestConfigurationFieldsBase;
 import org.apache.hadoop.hdds.HddsConfigKeys;
+import org.apache.hadoop.hdds.scm.ScmConfig;
 import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig;
 import org.apache.hadoop.ozone.om.OMConfigKeys;
 import org.apache.hadoop.hdds.scm.ScmConfigKeys;
@@ -48,7 +49,9 @@ public void initializeMemberVariables() {
             OMConfigKeys.class, HddsConfigKeys.class,
             ReconServerConfigKeys.class,
             S3GatewayConfigKeys.class,
-            SCMHTTPServerConfig.class
+            SCMHTTPServerConfig.class,
+            SCMHTTPServerConfig.ConfigStrings.class,
+            ScmConfig.ConfigStrings.class
         };
     errorIfMissingConfigProps = true;
     errorIfMissingXmlProps = true;