Re: [PR] HDDS-13148. [Docs] Update Transparent Data Encryption doc. [ozone]

Tue, 03 Jun 2025 17:41:11 -0700 


smengcl commented on code in PR #8530:
URL: https://github.com/apache/ozone/pull/8530#discussion_r2125022609


##########
hadoop-hdds/docs/content/security/SecuringTDE.md:
##########
@@ -112,25 +128,25 @@ However, in buckets with `FILE_SYSTEM_OPTIMIZED` layout, 
some irregular S3 key
 names may be rejected or normalized, which can be undesired.
 See [Prefix based File System Optimization]({{< relref 
"../feature/PrefixFSO.md" >}}) for more information.
 
-In non-secure mode, the user running the S3Gateway daemon process is the proxy 
user, 
-while in secure mode the S3Gateway Kerberos principal 
(ozone.s3g.kerberos.principal) is the proxy user. 
-S3Gateway proxy's all the users accessing the encrypted buckets to decrypt the 
key. 
-For this purpose on security enabled cluster, during S3Gateway server startup 
-logins using configured 
-**ozone.s3g.kerberos.keytab.file**  and **ozone.s3g.kerberos.principal**. 
+When accessing an S3G-enabled encrypted bucket:
+
+* **Secure Mode (Kerberos enabled):**
+  The S3 Gateway proxy user (configured by `ozone.s3g.proxy.user`) must have 
permissions to decrypt the encryption key. This user also needs proxy user 
privileges for the end-user (e.g., be configured as a proxy user in 
`core-site.xml` for Hadoop’s proxy user mechanism).
+* **Non-Secure Mode:**
+  The user running the S3 Gateway (typically the user who started the S3G 
daemon) must have permissions to decrypt the encryption key.
 
-The below two configurations must be added to the kms-site.xml to allow the 
S3Gateway principal to act as a proxy for other users. In this example, 
"ozone.s3g.kerberos.principal" is assumed to be "s3g"
+The below two configurations must be added to the kms-site.xml to allow the 
S3Gateway principal to act as a proxy for other users. In this example, "ozone.
+s3g.kerberos.principal" is assumed to be "s3g"

Review Comment:
   ```suggestion
   The below two configurations must be added to `kms-site.xml` to allow the 
S3Gateway principal to act as a proxy for other users. In this example, 
`ozone.s3g.kerberos.principal` is assumed to be `s3g`
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to