HDDS-10328. Support cross realm Kerberos out of box.

[jojochuang]

What changes were proposed in this pull request?

Add a default value "*" for the configuration property ozone.om.kerberos.principal.pattern to support accessing Ozone cluster in other Kerberos realms.

Please describe your PR in detail:

• Follow what was done in HDFS-7546.
• Currently we simply workaround the issue by adding the property to the command line. Adding it to the default makes Ozone more user friendly. E.g.
  hdfs dfs -Dozone.om.kerberos.principal.pattern=* -ls ofs://ozone1707264383/vol1/bucket1/

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-10328

How was this patch tested?

[smengcl]

lgtm. Thanks @jojochuang !

[Galsza]

Thank for the patch @jojochuang .

I have two minor questions:
Did you test this change if it really solves the issue?

The default value * this is a looser security option than making the user manually change the config so that they allow cross-realm for ozone. Is it better to enable all realms by default and make the user config it if they want something stricter,
or is it better to disable all realms by default but letting the user know they can config it? I'm fine with either way but the second one seems more secure. (I know it defaults to enabled in HDFS, I just wanted to ask if we want to go the same way with ozone)

[jojochuang]

@Galsza yes this configuration value addresses the issue.

IMO
the Kerberos realms already provide the authentication required between the group of hosts.
It is already difficult to try and to set up cross realm communication and this is an unnecessary gotcha.

Or put this way: if a user can easily work around this level of protection with a command line property, then it's not really giving any more safety.

[Galsza]

@jojochuang Thanks for both of the detailed answers it's clear to me now. LGTM +1

[jojochuang]

Thanks @smengcl @Galsza this PR is merged.

[szetszwo]

+1 the change looks good.