Security — Apache Ozone
The tdp-ozone chart supports AWS Signature Version 4 authentication on the S3 Gateway, controlled by the Kubernetes Secret ozone-s3-credentials. When enabled, all access to the S3 endpoint requires valid credentials.
S3 Gateway Authentication
The Ozone S3 Gateway exposes an S3-compatible endpoint. Authentication is based on the AWS Signature v4 standard in simple mode (without Kerberos):
| Parameter | Description | Default |
|---|---|---|
ozone.s3g.auth.enabled | Enables authentication on the S3 Gateway | true |
ozone.s3g.auth.secretName | Name of the Secret containing S3 credentials | ozone-s3-credentials |
Create the credentials Secret
Before deployment, create the Secret in the namespace where Ozone will be installed:
kubectl -n <namespace> create secret generic ozone-s3-credentials \
--from-literal=aws_access_key_id="<ACCESS_KEY_ID>" \
--from-literal=aws_secret_access_key="<SECRET_ACCESS_KEY>"
| Key | Description |
|---|---|
aws_access_key_id | Credential identifier (equivalent to the AWS access key) |
aws_secret_access_key | Secret key for request signing |
Configuration in values.yaml
ozone:
s3g:
auth:
enabled: true
secretName: ozone-s3-credentials
Accessing the S3 Gateway with authentication
After configuring the Secret, configure the AWS CLI client with the same credentials:
aws configure set aws_access_key_id <ACCESS_KEY_ID>
aws configure set aws_secret_access_key <SECRET_ACCESS_KEY>
aws configure set region us-east-1
# Test bucket listing
aws s3 ls --endpoint-url=http://ozone-s3.local
For access via port-forward:
kubectl -n <namespace> port-forward svc/<release>-s3g-rest 9878:9878
aws s3 ls --endpoint-url=http://localhost:9878
Best practices
| Aspect | Recommendation |
|---|---|
| Credentials | Do not version aws_access_key_id and aws_secret_access_key in a Git repository |
| Rotation | Recreate the Secret and restart S3 Gateway pods after credential changes |
| Clients | Configure all services that access Ozone with the same credentials |
Troubleshooting
| Problem | Probable cause | Solution |
|---|---|---|
| 403 error on S3 access | Incorrect credentials or missing Secret | Check Secret ozone-s3-credentials in the namespace |
| S3 Gateway does not start | Referenced Secret does not exist | Create the Secret before deployment |
| Access denied via AWS CLI | Incorrect region or endpoint | Check --endpoint-url and configured region |
For the full list of parameters, use helm show values on the version of the chart you installed.