Securing HTTP

By default Ozone HTTP web-consoles (OM, SCM, S3G, Recon, Datanode) allow access without authentication based on the following default configurations.

If you have an SPNEGO enabled Ozone cluster and want to disable it for all Ozone services, just make sure the two key mentioned are configured as above.

Kerberos based SPNEGO authentication

However, they can be configured to require Kerberos authentication using HTTP SPNEGO protocol (supported by browsers like Firefox and Chrome). To achieve that, the following keys must be configured first.

Enable SPNEGO authentication for OM HTTP

Enable SPNEGO authentication for S3G HTTP

Enable SPNEGO authentication for SCM HTTP

Enable SPNEGO authentication for DATANODE HTTP

Note: Ozone datanode does not have a default webpage, which prevents you from accessing “/” or “/index.html”. But it does provide standard servlet like jmx/conf/jstack via HTTP.

In addition, Ozone HTTP web-console support the equivalent of Hadoop’s Pseudo/Simple authentication. If this option is enabled, the user name must be specified in the first browser interaction using the user.name query string parameter. e.g., .

Enable SIMPLE authentication for OM HTTP

If you don’t want to specify the user.name in the query string parameter, change ozone.om.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for RECON HTTP

If you don’t want to specify the user.name in the query string parameter, change ozone.recon.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for SCM HTTP

If you don’t want to specify the user.name in the query string parameter, change hdds.scm.http.auth.simple.anonymous_allowed to true.

Enable SIMPLE authentication for DATANODE HTTP

If you don’t want to specify the user.name in the query string parameter, change hdds.datanode.http.auth.simple.anonymous_allowed to true.