This is an automated email from the ASF dual-hosted git repository.
kassiez pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris-website.git
The following commit(s) were added to refs/heads/master by this push:
new b9f6d8a89b3 [Doc][Enhancement]kerberos config on kubernetes (#2150)
b9f6d8a89b3 is described below
commit b9f6d8a89b301bd2b467a6f95b86bcba5343fe76
Author: smiletan <[email protected]>
AuthorDate: Tue Apr 22 17:35:53 2025 +0800
[Doc][Enhancement]kerberos config on kubernetes (#2150)
## Versions
- [x] dev
- [x] 3.0
- [x] 2.1
- [ ] 2.0
## Languages
- [x] Chinese
- [x] English
## Docs Checklist
- [ ] Checked by AI
- [ ] Test Cases Built
---
.../install-config-cluster.md | 24 +++++++++++++++++++
.../install-config-cluster.md | 24 +++++++++++++++++++
.../deploy-on-kubernetes/install-config-cluster.md | 23 ++++++++++++++++++
.../install-config-cluster.md | 26 +++++++++++++++++++-
.../deploy-on-kubernetes/install-config-cluster.md | 28 ++++++++++++++++++++--
.../install-config-cluster.md | 24 +++++++++++++++++++
6 files changed, 146 insertions(+), 3 deletions(-)
diff --git
a/docs/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
b/docs/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
index dac68d7bc41..4b3fd411ac0 100644
---
a/docs/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
+++
b/docs/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
@@ -751,3 +751,27 @@ Support configmap monitoring and restart for FE and BE,
Use FE usage as example.
```
2. Update FE service configurations.
When modifying values under the `fe.conf` key in the fe-configmap ConfigMap
(containing FE service configurations), Doris Operator will automatically
perform a rolling restart of FE services to apply changes.
+
+## Using Kerberos Authentication
+The Doris Operator has supported Kerberos authentication for Doris (versions
2.1.9, 3.0.4, and later) in Kubernetes since version 25.2.0. To enable Kerberos
authentication in Doris, both the [krb5.conf
file](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
and [keytab
files](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) are
required.
+The Doris Operator mounts the krb5.conf file using a ConfigMap resource and
mounts the keytab files using a Secret resource. The workflow for enabling
Kerberos authentication is as follows:
+
+1. Create a ConfigMap containing the krb5.conf file:
+ ```shell
+ kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
+ ```
+ Replace ${namespace} with the namespace where the DorisCluster is deployed,
and ${name} with the desired name for the ConfigMap.
+2. Create a Secret containing the keytab files:
+ ```shell
+ kubectl create -n ${namespace} secret generic ${name}
--from-file=${xxx.keytab}
+ ```
+ Replace ${namespace} with the namespace where the DorisCluster is deployed,
and ${name} with the desired name for the Secret. If multiple keytab files need
to be mounted, refer to the [kubectl create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
+3. Configure the DorisCluster resource to specify the ConfigMap containing
krb5.conf and the Secret containing keytab files:
+ ```yaml
+ spec:
+ kerberosInfo:
+ krb5ConfigMap: ${krb5ConfigMapName}
+ keytabSecretName: ${keytabSecretName}
+ keytabPath: ${keytabPath}
+ ```
+ ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file.
${keytabSecretName}: Name of the Secret containing the keytab files.
${keytabPath}: The directory path in the container where the Secret mounts the
keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.md#configuring-catalog)
documentation.
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
index 572e244ad81..3d6b557f728 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
@@ -902,3 +902,27 @@ spec:
```
2. 更新 `fe-configmap` 里面指定的 FE 服务启动配置。
当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值( FE 服务的启动配置)后,Doris Operator 自动滚动重启
FE 服务使配置生效。
+
+## 使用 Kerberos 认证
+Doris Operator 从 25.2.0 版本开始支持 Doris (2.1.9 和 3.0.4 及以后版本) 在 Kubernetes 使用
Kerberos 认证。 Doris 使用 Kerberos 认证需要使用
[krb5.conf](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
和 [keytab
文件](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) 。
+Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret` 资源挂载 keytab 文件。使用
Kerberos 认证流程如下:
+1. 构建包含 krb5.conf 文件的 ConfigMap:
+ ```shell
+ kubectl create -n ${namespace} create configmap ${name}
--from-file=krb5.conf
+ ```
+ ${namespace} 为 `DorisCluster` 部署的命名空间,${name} 为 ConfigMap 想要指定的名字。
+2. 构建包含 keytab 的 Secret:
+ ```shell
+ kubectl create -n ${namespace} secret generic ${name} --from-file=
${xxx.keytab}
+ ```
+ ${namespace} 为 `DorisCluster` 部署的命名空间,${name} 为 Secret 想要指定的名字,如果需要挂载多个
`keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
+3. 配置 DorisCluster 资源,指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab` 文件的 Secret。
+ ```yaml
+ spec:
+ kerberosInfo:
+ krb5ConfigMap: ${krb5ConfigMapName}
+ keytabSecretName: ${keytabSecretName}
+ keytabPath: ${keytabPath}
+ ```
+ ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+ catalog 请参考配置 [Hive
Catalog](../../../lakehouse/catalogs/hive-catalog.md#配置-catalog) 文档。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
index 553494c7171..ecf9c76fd74 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
@@ -903,3 +903,26 @@ spec:
2. 更新 `fe-configmap` 里面指定的 FE 服务启动配置。
当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值( FE 服务的启动配置)后,Doris Operator
自动滚动重启 FE 服务使配置生效。
+## 使用 Kerberos 认证
+Doris Operator 从 25.2.0 版本开始支持 Doris (2.1.9 和 3.0.4 及以后版本) 在 Kubernetes 使用
Kerberos 认证。 Doris 使用 Kerberos 认证需要使用
[krb5.conf](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
和 [keytab
文件](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) 。
+Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret` 资源挂载 keytab 文件。使用
Kerberos 认证流程如下:
+1. 构建包含 krb5.conf 文件的 ConfigMap:
+ ```shell
+ kubectl create -n ${namespace} create configmap ${name}
--from-file=krb5.conf
+ ```
+ ${namespace} 为 `DorisCluster` 部署的命名空间,${name} 为 ConfigMap 想要指定的名字。
+2. 构建包含 keytab 的 Secret:
+ ```shell
+ kubectl create -n ${namespace} secret generic ${name} --from-file=
${xxx.keytab}
+ ```
+ ${namespace} 为 `DorisCluster` 部署的命名空间,${name} 为 Secret 想要指定的名字,如果需要挂载多个
`keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
+3. 配置 DorisCluster 资源,指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab` 文件的 Secret。
+ ```yaml
+ spec:
+ kerberosInfo:
+ krb5ConfigMap: ${krb5ConfigMapName}
+ keytabSecretName: ${keytabSecretName}
+ keytabPath: ${keytabPath}
+ ```
+ ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+ atalog 请参考配置 [Hive
Catalog](../../lakehouse/datalake-analytics/hive.md#catalog-配置) 文档。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
index 08f7385f7d4..ed840d21f83 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
@@ -924,4 +924,28 @@ spec:
```
2. 更新 `fe-configmap` 里面指定的 FE 服务启动配置。
-当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值 (为 FE 服务的启动配置) 后,Doris Operator
自动滚动重启 FE 服务使配置生效。
\ No newline at end of file
+当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值 (为 FE 服务的启动配置) 后,Doris Operator
自动滚动重启 FE 服务使配置生效。
+
+## 使用 Kerberos 认证
+Doris Operator 从 25.2.0 版本开始支持 Doris (2.1.9 和 3.0.4 及以后版本) 在 Kubernetes 使用
Kerberos 认证。 Doris 使用 Kerberos 认证需要使用
[krb5.conf](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
和 [keytab
文件](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) 。
+Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret` 资源挂载 keytab 文件。使用
Kerberos 认证流程如下:
+1. 构建包含 krb5.conf 文件的 ConfigMap:
+ ```shell
+ kubectl create -n ${namespace} create configmap ${name}
--from-file=krb5.conf
+ ```
+ ${namespace} 为 `DorisCluster` 部署的命名空间,${name} 为 ConfigMap 想要指定的名字。
+2. 构建包含 keytab 的 Secret:
+ ```shell
+ kubectl create -n ${namespace} secret generic ${name} --from-file=
${xxx.keytab}
+ ```
+ ${namespace} 为 `DorisCluster` 部署的命名空间,${name} 为 Secret 想要指定的名字,如果需要挂载多个
`keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
+3. 配置 DorisCluster 资源,指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab` 文件的 Secret。
+ ```yaml
+ spec:
+ kerberosInfo:
+ krb5ConfigMap: ${krb5ConfigMapName}
+ keytabSecretName: ${keytabSecretName}
+ keytabPath: ${keytabPath}
+ ```
+ ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+ catalog 请参考配置 [Hive
Catalog](../../../lakehouse/datalake-analytics/hive.md#catalog-配置) 文档。
diff --git
a/versioned_docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
b/versioned_docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
index c7171af715d..e2d634913c2 100644
---
a/versioned_docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
+++
b/versioned_docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md
@@ -517,7 +517,7 @@ mysql -h
ac4828493dgrftb884g67wg4tb68gyut-1137856348.us-east-1.elb.amazonaws.com
```
## Configuring the username and password for the management cluster
-Managing Doris nodes requires connecting to the live FE nodes via the MySQL
protocol using a username and password for administrative operations. Doris
implements [a permission management mechanism similar to RBAC](
../../admin-manual/auth/authentication-and-authorization), where the user must
have the
[Node_priv](../../admin-manual/auth/authentication-and-authorization#Types of
Permissions) permission to perform node management. By default, the Doris
Operator deploys the cluster with th [...]
+Managing Doris nodes requires connecting to the live FE nodes via the MySQL
protocol using a username and password for administrative operations. Doris
implements [a permission management mechanism similar to RBAC](
../../admin-manual/auth/authentication-and-authorization), where the user must
have the
[Node_priv](../../admin-manual/auth/authentication-and-authorization.md#types-of-permissions)
permission to perform node management. By default, the Doris Operator deploys
the cluster with [...]
The process of configuring the username and password can be divided into three
scenarios:
- initializing the root user password during cluster deployment;
@@ -664,7 +664,7 @@ After deployment, please set the root password. Doris
Operator will switch to us
:::
### Setting the root user password after cluster deployment
-After deploying the Doris cluster and setting the root user's password, it's
essential to create a management user with the necessary
[Node_priv](../../admin-manual/auth/authentication-and-authorization#Types of
Permissions) permission to allow Doris Operator to automatically manage the
cluster nodes. Using the root user for this purpose is not recommended.
Instead, please refer to [the User Creation and Permission Assignment
Section](../../sql-manual/sql-statements/account-management/CR [...]
+After deploying the Doris cluster and setting the root user's password, it's
essential to create a management user with the necessary
[Node_priv](../../admin-manual/auth/authentication-and-authorization.md#types-of-permissions)
permission to allow Doris Operator to automatically manage the cluster nodes.
Using the root user for this purpose is not recommended. Instead, please refer
to [the User Creation and Permission Assignment
Section](../../sql-manual/sql-statements/account-management [...]
#### Step 1: Create a user with Node_priv permission
First, connect to the Doris database using the MySQL protocol, then create a
new user with the required permissions:
@@ -749,3 +749,27 @@ Support configmap monitoring and restart for FE and BE,
Use FE usage as example.
```
2. Update FE service configurations.
When modifying values under the `fe.conf` key in the fe-configmap ConfigMap
(containing FE service configurations), Doris Operator will automatically
perform a rolling restart of FE services to apply changes.
+
+## Using Kerberos Authentication
+The Doris Operator has supported Kerberos authentication for Doris (versions
2.1.9, 3.0.4, and later) in Kubernetes since version 25.2.0. To enable Kerberos
authentication in Doris, both the [krb5.conf
file](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
and [keytab
files](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) are
required.
+The Doris Operator mounts the krb5.conf file using a ConfigMap resource and
mounts the keytab files using a Secret resource. The workflow for enabling
Kerberos authentication is as follows:
+
+1. Create a ConfigMap containing the krb5.conf file:
+ ```shell
+ kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
+ ```
+ Replace ${namespace} with the namespace where the DorisCluster is
deployed, and ${name} with the desired name for the ConfigMap.
+2. Create a Secret containing the keytab files:
+ ```shell
+ kubectl create -n ${namespace} secret generic ${name}
--from-file=${xxx.keytab}
+ ```
+ Replace ${namespace} with the namespace where the DorisCluster is
deployed, and ${name} with the desired name for the Secret. If multiple keytab
files need to be mounted, refer to the [kubectl create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
+3. Configure the DorisCluster resource to specify the ConfigMap containing
krb5.conf and the Secret containing keytab files:
+ ```yaml
+ spec:
+ kerberosInfo:
+ krb5ConfigMap: ${krb5ConfigMapName}
+ keytabSecretName: ${keytabSecretName}
+ keytabPath: ${keytabPath}
+ ```
+ ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file.
${keytabSecretName}: Name of the Secret containing the keytab files.
${keytabPath}: The directory path in the container where the Secret mounts the
keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../lakehouse/datalake-analytics/hive.md#catalog-configuration)
documentation.
diff --git
a/versioned_docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
b/versioned_docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
index 867b433ca27..d77d566c564 100644
---
a/versioned_docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
+++
b/versioned_docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md
@@ -751,3 +751,27 @@ Support configmap monitoring and restart for FE and BE,
Use FE usage as example.
```
2. Update FE service configurations.
When modifying values under the `fe.conf` key in the fe-configmap ConfigMap
(containing FE service configurations), Doris Operator will automatically
perform a rolling restart of FE services to apply changes.
+
+## Using Kerberos Authentication
+The Doris Operator has supported Kerberos authentication for Doris (versions
2.1.9, 3.0.4, and later) in Kubernetes since version 25.2.0. To enable Kerberos
authentication in Doris, both the [krb5.conf
file](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
and [keytab
files](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) are
required.
+The Doris Operator mounts the krb5.conf file using a ConfigMap resource and
mounts the keytab files using a Secret resource. The workflow for enabling
Kerberos authentication is as follows:
+
+1. Create a ConfigMap containing the krb5.conf file:
+ ```shell
+ kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
+ ```
+ Replace ${namespace} with the namespace where the DorisCluster is deployed,
and ${name} with the desired name for the ConfigMap.
+2. Create a Secret containing the keytab files:
+ ```shell
+ kubectl create -n ${namespace} secret generic ${name}
--from-file=${xxx.keytab}
+ ```
+ Replace ${namespace} with the namespace where the DorisCluster is deployed,
and ${name} with the desired name for the Secret. If multiple keytab files need
to be mounted, refer to the [kubectl create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
+3. Configure the DorisCluster resource to specify the ConfigMap containing
krb5.conf and the Secret containing keytab files:
+ ```yaml
+ spec:
+ kerberosInfo:
+ krb5ConfigMap: ${krb5ConfigMapName}
+ keytabSecretName: ${keytabSecretName}
+ keytabPath: ${keytabPath}
+ ```
+ ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file.
${keytabSecretName}: Name of the Secret containing the keytab files.
${keytabPath}: The directory path in the container where the Secret mounts the
keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/datalake-analytics/hive.md#catalog-configuration)
documentation.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
