7 年之前 · ff61931f91
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
@@ -167,7 +167,7 @@ public class KerberosUtil {
 
															   }
														
 
															   /* Return fqdn of the current host */
														
 
															-  static String getLocalHostName() throws UnknownHostException {
														
 
															+  public static String getLocalHostName() throws UnknownHostException {
														
 
															     return InetAddress.getLocalHost().getCanonicalHostName();
														
 
															   }
														
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfigurationFieldsBase.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfigurationFieldsBase.java
@@ -436,6 +436,8 @@ public abstract class TestConfigurationFieldsBase {
 
															     // Create XML key/value map
														
 
															     LOG_XML.debug("Reading XML property files\n");
														
 
															     xmlKeyValueMap = extractPropertiesFromXml(xmlFilename);
														
 
															+    // Remove hadoop property set in ozone-default.xml
														
 
															+    xmlKeyValueMap.remove("hadoop.custom.tags");
														
 
															     LOG_XML.debug("\n=====\n");
														
 
															     // Create default configuration variable key/value map
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsUtils.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsUtils.java
@@ -275,18 +275,7 @@ public final class HddsUtils {
 
															   }
														
 
															   public static boolean isHddsEnabled(Configuration conf) {
														
 
															-    String securityEnabled =
														
 
															-        conf.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
														
 
															-            "simple");
														
 
															-    boolean securityAuthorizationEnabled = conf.getBoolean(
														
 
															-        CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false);
														
 
															-
														
 
															-    if (securityEnabled.equals("kerberos") || securityAuthorizationEnabled) {
														
 
															-      LOG.error("Ozone is not supported in a security enabled cluster. ");
														
 
															-      return false;
														
 
															-    } else {
														
 
															-      return conf.getBoolean(OZONE_ENABLED, OZONE_ENABLED_DEFAULT);
														
 
															-    }
														
 
															+    return conf.getBoolean(OZONE_ENABLED, OZONE_ENABLED_DEFAULT);
														
 
															   }
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java
@@ -205,8 +205,9 @@ public final class ScmConfigKeys {
 
															       "ozone.scm.http-address";
														
 
															   public static final String OZONE_SCM_HTTPS_ADDRESS_KEY =
														
 
															       "ozone.scm.https-address";
														
 
															-  public static final String OZONE_SCM_KEYTAB_FILE =
														
 
															-      "ozone.scm.keytab.file";
														
 
															+  public static final String OZONE_SCM_KERBEROS_KEYTAB_FILE_KEY =
														
 
															+      "ozone.scm.kerberos.keytab.file";
														
 
															+  public static final String OZONE_SCM_KERBEROS_PRINCIPAL_KEY = "ozone.scm.kerberos.principal";
														
 
															   public static final String OZONE_SCM_HTTP_BIND_HOST_DEFAULT = "0.0.0.0";
														
 
															   public static final int OZONE_SCM_HTTP_BIND_PORT_DEFAULT = 9876;
														
 
															   public static final int OZONE_SCM_HTTPS_BIND_PORT_DEFAULT = 9877;
														
@@ -325,6 +326,10 @@ public final class ScmConfigKeys {
 
															   public static final String HDDS_SCM_WATCHER_TIMEOUT_DEFAULT =
														
 
															       "10m";
														
 
															+  public static final String SCM_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY =
														
 
															+      "ozone.scm.web.authentication.kerberos.principal";
														
 
															+  public static final String SCM_WEB_AUTHENTICATION_KERBEROS_KEYTAB_FILE_KEY =
														
 
															+      "ozone.scm.web.authentication.kerberos.keytab";
														
 
															   /**
														
 
															    * Never constructed.
														
 
															    */
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java
@@ -17,6 +17,8 @@
 
															  */
														
 
															 package org.apache.hadoop.hdds.scm.protocol;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 import org.apache.hadoop.hdds.scm.ScmInfo;
														
 
															 import org.apache.hadoop.hdds.scm.container.common.helpers.AllocatedBlock;
														
 
															 import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor;
														
@@ -31,6 +33,7 @@ import java.util.List;
 
															  * ScmBlockLocationProtocol is used by an HDFS node to find the set of nodes
														
 
															  * to read/write a block.
														
 
															  */
														
 
															+@KerberosInfo(serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY)
														
 
															 public interface ScmBlockLocationProtocol {
														
 
															   /**
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java
@@ -17,6 +17,8 @@
 
															 package org.apache.hadoop.hdds.scm.protocol;
														
 
															+import org.apache.hadoop.hdds.HddsConfigKeys;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															 import org.apache.hadoop.hdds.scm.ScmInfo;
														
 
															 import org.apache.hadoop.hdds.scm.container.common.helpers.ContainerWithPipeline;
														
 
															 import org.apache.hadoop.hdds.scm.container.ContainerInfo;
														
@@ -27,11 +29,13 @@ import org.apache.hadoop.hdds.protocol.proto
 
															 import java.io.IOException;
														
 
															 import java.util.List;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 /**
														
 
															  * ContainerLocationProtocol is used by an HDFS node to find the set of nodes
														
 
															  * that currently host a container.
														
 
															  */
														
 
															+@KerberosInfo(serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY)
														
 
															 public interface StorageContainerLocationProtocol {
														
 
															   /**
														
 
															    * Asks SCM where a container should be allocated. SCM responds with the
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/ScmBlockLocationProtocolPB.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/ScmBlockLocationProtocolPB.java
@@ -18,9 +18,13 @@
 
															 package org.apache.hadoop.hdds.scm.protocolPB;
														
 
															 import org.apache.hadoop.classification.InterfaceAudience;
														
 
															+import org.apache.hadoop.hdds.HddsConfigKeys;
														
 
															 import org.apache.hadoop.hdds.protocol.proto.ScmBlockLocationProtocolProtos
														
 
															     .ScmBlockLocationProtocolService;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															+import org.apache.hadoop.hdfs.DFSConfigKeys;
														
 
															 import org.apache.hadoop.ipc.ProtocolInfo;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 /**
														
 
															  * Protocol used from an HDFS node to StorageContainerManager.  This extends the
														
@@ -30,6 +34,8 @@ import org.apache.hadoop.ipc.ProtocolInfo;
 
															     "org.apache.hadoop.ozone.protocol.ScmBlockLocationProtocol",
														
 
															     protocolVersion = 1)
														
 
															 @InterfaceAudience.Private
														
 
															+@KerberosInfo(
														
 
															+    serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY)
														
 
															 public interface ScmBlockLocationProtocolPB
														
 
															     extends ScmBlockLocationProtocolService.BlockingInterface {
														
 
															 }
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolPB.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolPB.java
@@ -21,7 +21,9 @@ import org.apache.hadoop.classification.InterfaceAudience;
 
															 import org.apache.hadoop.hdds.protocol.proto
														
 
															     .StorageContainerLocationProtocolProtos
														
 
															     .StorageContainerLocationProtocolService;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															 import org.apache.hadoop.ipc.ProtocolInfo;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 /**
														
 
															  * Protocol used from an HDFS node to StorageContainerManager.  This extends the
														
@@ -30,6 +32,8 @@ import org.apache.hadoop.ipc.ProtocolInfo;
 
															 @ProtocolInfo(protocolName =
														
 
															     "org.apache.hadoop.ozone.protocol.StorageContainerLocationProtocol",
														
 
															     protocolVersion = 1)
														
 
															+@KerberosInfo(
														
 
															+    serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY)
														
 
															 @InterfaceAudience.Private
														
 
															 public interface StorageContainerLocationProtocolPB
														
 
															     extends StorageContainerLocationProtocolService.BlockingInterface {
														
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
@@ -346,6 +346,10 @@ public final class OzoneConfigKeys {
 
															   public static final double
														
 
															       HDDS_DATANODE_STORAGE_UTILIZATION_CRITICAL_THRESHOLD_DEFAULT = 0.75;
														
 
															+  public static final String OZONE_SECURITY_ENABLED_KEY =
														
 
															+      "ozone.security.enabled";
														
 
															+  public static final boolean OZONE_SECURITY_ENABLED_DEFAULT = false;
														
 
															+
														
 
															   public static final String OZONE_CONTAINER_COPY_WORKDIR =
														
 
															       "hdds.datanode.replication.work.dir";
														
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -1308,7 +1308,6 @@
 
															       datanode unless the datanode confirms the completion.
														
 
															     </description>
														
 
															   </property>
														
 
															-
														
 
															   <property>
														
 
															     <name>hdds.db.profile</name>
														
 
															     <value>DISK</value>
														
@@ -1317,7 +1316,6 @@
 
															     that tunes the RocksDB settings for the hardware it is running
														
 
															     on. Right now, we have SSD and DISK as profile options.</description>
														
 
															   </property>
														
 
															-
														
 
															   <property>
														
 
															     <name>hdds.datanode.replication.work.dir</name>
														
 
															     <tag>DATANODE</tag>
														
@@ -1585,5 +1583,29 @@
 
															     <tag>OZONE, SECURITY, ACL</tag>
														
 
															     <description>Key to enable/disable ozone acls.</description>
														
 
															   </property>
														
 
															+  <property>
														
 
															+    <name>ozone.scm.kerberos.keytab.file</name>
														
 
															+    <value></value>
														
 
															+    <tag> OZONE, SECURITY</tag>
														
 
															+    <description> The keytab file used by each SCM daemon to login as its
														
 
															+      service principal. The principal name is configured with
														
 
															+      ozone.scm.kerberos.principal.
														
 
															+    </description>
														
 
															+  </property>
														
 
															+  <property>
														
 
															+    <name>ozone.scm.kerberos.principal</name>
														
 
															+    <value></value>
														
 
															+    <tag> OZONE, SECURITY</tag>
														
 
															+    <description>The SCM service principal. Ex scm/_HOST@REALM.TLD.</description>
														
 
															+  </property>
														
 
															+
														
 
															+  <property>
														
 
															+    <name>ozone.scm.web.authentication.kerberos.principal</name>
														
 
															+    <value>HTTP/_HOST@EXAMPLE.COM</value>
														
 
															+  </property>
														
 
															+  <property>
														
 
															+    <name>ozone.scm.web.authentication.kerberos.keytab</name>
														
 
															+    <value>/etc/security/keytabs/HTTP.keytab</value>
														
 
															+  </property>
														
 
															 </configuration>
														
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocol/StorageContainerDatanodeProtocol.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocol/StorageContainerDatanodeProtocol.java
@@ -36,11 +36,15 @@ import org.apache.hadoop.hdds.protocol.proto
 
															     .StorageContainerDatanodeProtocolProtos.SCMVersionResponseProto;
														
 
															 import java.io.IOException;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 /**
														
 
															  * The protocol spoken between datanodes and SCM. For specifics please the
														
 
															  * Protoc file that defines this protocol.
														
 
															  */
														
 
															+@KerberosInfo(
														
 
															+    serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY)
														
 
															 @InterfaceAudience.Private
														
 
															 public interface StorageContainerDatanodeProtocol {
														
 
															   /**
														
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocolPB/StorageContainerDatanodeProtocolPB.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocolPB/StorageContainerDatanodeProtocolPB.java
@@ -19,7 +19,10 @@ package org.apache.hadoop.ozone.protocolPB;
 
															 import org.apache.hadoop.hdds.protocol.proto
														
 
															     .StorageContainerDatanodeProtocolProtos
														
 
															     .StorageContainerDatanodeProtocolService;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															+import org.apache.hadoop.hdfs.DFSConfigKeys;
														
 
															 import org.apache.hadoop.ipc.ProtocolInfo;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 /**
														
 
															  * Protocol used from a datanode to StorageContainerManager.  This extends
														
@@ -29,6 +32,9 @@ import org.apache.hadoop.ipc.ProtocolInfo;
 
															 @ProtocolInfo(protocolName =
														
 
															     "org.apache.hadoop.ozone.protocol.StorageContainerDatanodeProtocol",
														
 
															     protocolVersion = 1)
														
 
															+@KerberosInfo(
														
 
															+    serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY,
														
 
															+    clientPrincipal = DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY)
														
 
															 public interface StorageContainerDatanodeProtocolPB extends
														
 
															     StorageContainerDatanodeProtocolService.BlockingInterface {
														
 
															 }
														
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -28,11 +28,13 @@ import com.google.common.cache.RemovalListener;
 
															 import com.google.common.cache.RemovalNotification;
														
 
															 import com.google.protobuf.BlockingService;
														
 
															 import org.apache.hadoop.classification.InterfaceAudience;
														
 
															+import org.apache.hadoop.conf.Configuration;
														
 
															 import org.apache.hadoop.hdds.HddsUtils;
														
 
															 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
														
 
															 import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
														
 
															 import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeState;
														
 
															 import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															+import org.apache.hadoop.hdds.scm.HddsServerUtil;
														
 
															 import org.apache.hadoop.hdds.scm.block.BlockManager;
														
 
															 import org.apache.hadoop.hdds.scm.block.BlockManagerImpl;
														
 
															 import org.apache.hadoop.hdds.scm.block.DeletedBlockLogImpl;
														
@@ -83,6 +85,9 @@ import org.apache.hadoop.ozone.common.Storage.StorageState;
 
															 import org.apache.hadoop.ozone.common.StorageInfo;
														
 
															 import org.apache.hadoop.ozone.lease.LeaseManager;
														
 
															 import org.apache.hadoop.security.UserGroupInformation;
														
 
															+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
														
 
															+import org.apache.hadoop.security.SecurityUtil;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															 import org.apache.hadoop.util.GenericOptionsParser;
														
 
															 import org.apache.hadoop.util.JvmPauseMonitor;
														
 
															 import org.apache.hadoop.util.StringUtils;
														
@@ -103,6 +108,10 @@ import java.util.concurrent.ConcurrentMap;
 
															 import java.util.concurrent.TimeUnit;
														
 
															 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED;
														
 
															+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;
														
 
															+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
														
 
															+import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY;
														
 
															+import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_KERBEROS_KEYTAB_FILE_KEY;
														
 
															 import static org.apache.hadoop.util.ExitUtil.terminate;
														
 
															 /**
														
@@ -194,11 +203,17 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
 
															    *
														
 
															    * @param conf configuration
														
 
															    */
														
 
															-  private StorageContainerManager(OzoneConfiguration conf) throws IOException {
														
 
															+  private StorageContainerManager(OzoneConfiguration conf)
														
 
															+      throws IOException, AuthenticationException {
														
 
															     configuration = conf;
														
 
															     StorageContainerManager.initMetrics();
														
 
															     initContainerReportCache(conf);
														
 
															+    // Authenticate SCM if security is enabled
														
 
															+    if (conf.getBoolean(OZONE_SECURITY_ENABLED_KEY,
														
 
															+        OZONE_SECURITY_ENABLED_DEFAULT)) {
														
 
															+      loginAsSCMUser(conf);
														
 
															+    }
														
 
															     scmStorage = new SCMStorage(conf);
														
 
															     if (scmStorage.getState() != StorageState.INITIALIZED) {
														
@@ -316,6 +331,33 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
 
															   }
														
 
															+  /**
														
 
															+   * Login as the configured user for SCM.
														
 
															+   *
														
 
															+   * @param conf
														
 
															+   */
														
 
															+  private void loginAsSCMUser(Configuration conf)
														
 
															+      throws IOException, AuthenticationException {
														
 
															+    LOG.debug("Ozone security is enabled. Attempting login for SCM user. "
														
 
															+            + "Principal: {}, keytab: {}", conf.get
														
 
															+            (OZONE_SCM_KERBEROS_PRINCIPAL_KEY),
														
 
															+        conf.get(OZONE_SCM_KERBEROS_KEYTAB_FILE_KEY));
														
 
															+
														
 
															+    if (SecurityUtil.getAuthenticationMethod(conf).equals
														
 
															+        (AuthenticationMethod.KERBEROS)) {
														
 
															+      UserGroupInformation.setConfiguration(conf);
														
 
															+      InetSocketAddress socAddr = HddsServerUtil
														
 
															+          .getScmBlockClientBindAddress(conf);
														
 
															+      SecurityUtil.login(conf, OZONE_SCM_KERBEROS_KEYTAB_FILE_KEY,
														
 
															+          OZONE_SCM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName());
														
 
															+    } else {
														
 
															+      throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
														
 
															+          conf) + " authentication method not support. "
														
 
															+          + "SCM user login failed.");
														
 
															+    }
														
 
															+    LOG.info("SCM login successful.");
														
 
															+  }
														
 
															+
														
 
															   /**
														
 
															    * Builds a message for logging startup information about an RPC server.
														
 
															    *
														
@@ -410,8 +452,8 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
 
															    * @throws IOException
														
 
															    */
														
 
															   @VisibleForTesting
														
 
															-  public static StorageContainerManager createSCM(
														
 
															-      String[] args, OzoneConfiguration conf) throws IOException {
														
 
															+  public static StorageContainerManager createSCM(String[] args,
														
 
															+      OzoneConfiguration conf) throws IOException, AuthenticationException {
														
 
															     return createSCM(args, conf, false);
														
 
															   }
														
@@ -427,7 +469,8 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
 
															   private static StorageContainerManager createSCM(
														
 
															       String[] args,
														
 
															       OzoneConfiguration conf,
														
 
															-      boolean printBanner) throws IOException {
														
 
															+      boolean printBanner)
														
 
															+      throws IOException, AuthenticationException {
														
 
															     String[] argv = (args == null) ? new String[0] : args;
														
 
															     if (!HddsUtils.isHddsEnabled(conf)) {
														
 
															       System.err.println(
														
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.hdds.scm.server;
 
															 import org.apache.hadoop.conf.Configuration;
														
 
															 import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															 import org.apache.hadoop.hdds.server.BaseHttpServer;
														
 
															-import org.apache.hadoop.ozone.OzoneConfigKeys;
														
 
															 import java.io.IOException;
														
@@ -63,11 +62,11 @@ public class StorageContainerManagerHttpServer extends BaseHttpServer {
 
															   }
														
 
															   @Override protected String getKeytabFile() {
														
 
															-    return ScmConfigKeys.OZONE_SCM_KEYTAB_FILE;
														
 
															+    return ScmConfigKeys.SCM_WEB_AUTHENTICATION_KERBEROS_KEYTAB_FILE_KEY;
														
 
															   }
														
 
															   @Override protected String getSpnegoPrincipal() {
														
 
															-    return OzoneConfigKeys.OZONE_SCM_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL;
														
 
															+    return ScmConfigKeys.SCM_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY;
														
 
															   }
														
 
															   @Override protected String getEnabledKey() {
														
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/block/TestBlockManager.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/block/TestBlockManager.java
@@ -37,6 +37,7 @@ import org.apache.hadoop.hdds.server.events.EventPublisher;
 
															 import org.apache.hadoop.hdds.server.events.EventQueue;
														
 
															 import org.apache.hadoop.ozone.common.Storage.StorageState;
														
 
															 import org.apache.hadoop.ozone.container.common.SCMTestUtils;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															 import org.apache.hadoop.test.GenericTestUtils;
														
 
															 import org.junit.After;
														
 
															 import org.junit.Assert;
														
@@ -113,7 +114,7 @@ public class TestBlockManager implements EventHandler<Boolean> {
 
															   }
														
 
															   private static StorageContainerManager getScm(OzoneConfiguration conf)
														
 
															-      throws IOException {
														
 
															+      throws IOException, AuthenticationException {
														
 
															     conf.setBoolean(OZONE_ENABLED, true);
														
 
															     SCMStorage scmStore = new SCMStorage(conf);
														
 
															     if(scmStore.getState() != StorageState.INITIALIZED) {
														
--- a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
+++ b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
@@ -19,6 +19,7 @@
 
															 package org.apache.hadoop.ozone.client.protocol;
														
 
															 import org.apache.hadoop.hdds.protocol.StorageType;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															 import org.apache.hadoop.ozone.OzoneAcl;
														
 
															 import org.apache.hadoop.ozone.client.*;
														
 
															 import org.apache.hadoop.hdds.client.OzoneQuota;
														
@@ -32,6 +33,7 @@ import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteInfo;
 
															 import java.io.IOException;
														
 
															 import java.util.List;
														
 
															 import java.util.Map;
														
 
															+import org.apache.hadoop.security.KerberosInfo;
														
 
															 /**
														
 
															  * An implementer of this interface is capable of connecting to Ozone Cluster
														
@@ -41,6 +43,7 @@ import java.util.Map;
 
															  * includes: {@link org.apache.hadoop.ozone.client.rpc.RpcClient} for RPC and
														
 
															  * {@link  org.apache.hadoop.ozone.client.rest.RestClient} for REST.
														
 
															  */
														
 
															+@KerberosInfo(serverPrincipal = ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY)
														
 
															 public interface ClientProtocol {
														
 
															   /**
														
--- a/hadoop-ozone/common/src/main/bin/start-ozone.sh
+++ b/hadoop-ozone/common/src/main/bin/start-ozone.sh
@@ -70,10 +70,18 @@ nameStartOpt="$nameStartOpt $*"
 
															 SECURITY_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getconf -confKey hadoop.security.authentication | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															 SECURITY_AUTHORIZATION_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getconf -confKey hadoop.security.authorization | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															-if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED} == "true" ]]; then
														
 
															-  echo "Ozone is not supported in a security enabled cluster."
														
 
															-  exit 1
														
 
															-fi
														
 
															+#if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED}
														
 
															+# == "true" ]]; then
														
 
															+#  echo "Ozone is not supported in a security enabled cluster."
														
 
															+#  exit 1
														
 
															+#fi
														
 
															+
														
 
															+#SECURITY_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getozoneconf -confKey hadoop.security.authentication | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															+#SECURITY_AUTHORIZATION_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getozoneconf -confKey hadoop.security.authorization | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															+#if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED} == "true" ]]; then
														
 
															+#  echo "Ozone is not supported in a security enabled cluster."
														
 
															+#  exit 1
														
 
															+#fi
														
 
															 #---------------------------------------------------------
														
 
															 # Check if ozone is enabled
														
--- a/hadoop-ozone/common/src/main/bin/stop-ozone.sh
+++ b/hadoop-ozone/common/src/main/bin/stop-ozone.sh
@@ -47,13 +47,12 @@ else
 
															   exit 1
														
 
															 fi
														
 
															-SECURITY_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getconf -confKey hadoop.security.authentication | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															-SECURITY_AUTHORIZATION_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getconf -confKey hadoop.security.authorization | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															-
														
 
															-if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED} == "true" ]]; then
														
 
															-  echo "Ozone is not supported in a security enabled cluster."
														
 
															-  exit 1
														
 
															-fi
														
 
															+#SECURITY_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getozoneconf -confKey hadoop.security.authentication | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															+#SECURITY_AUTHORIZATION_ENABLED=$("${HADOOP_HDFS_HOME}/bin/ozone" getozoneconf -confKey hadoop.security.authorization | tr '[:upper:]' '[:lower:]' 2>&-)
														
 
															+#if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED} == "true" ]]; then
														
 
															+#  echo "Ozone is not supported in a security enabled cluster."
														
 
															+#  exit 1
														
 
															+#fi
														
 
															 #---------------------------------------------------------
														
 
															 # Check if ozone is enabled
														
--- a/hadoop-ozone/integration-test/pom.xml
+++ b/hadoop-ozone/integration-test/pom.xml
@@ -38,6 +38,12 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
															       <groupId>org.apache.hadoop</groupId>
														
 
															       <artifactId>hadoop-ozone-ozone-manager</artifactId>
														
 
															     </dependency>
														
 
															+    <dependency>
														
 
															+      <groupId>org.apache.hadoop</groupId>
														
 
															+      <artifactId>hadoop-minikdc</artifactId>
														
 
															+      <scope>test</scope>
														
 
															+    </dependency>
														
 
															+
														
 
															     <dependency>
														
 
															       <groupId>org.apache.hadoop</groupId>
														
 
															       <artifactId>hadoop-ozone-objectstore-service</artifactId>
														
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/container/TestContainerStateManagerIntegration.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/container/TestContainerStateManagerIntegration.java
@@ -29,6 +29,7 @@ import org.apache.hadoop.ozone.OzoneConsts;
 
															 import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
														
 
															 import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
														
 
															 import org.apache.hadoop.hdds.scm.XceiverClientManager;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															 import org.junit.After;
														
 
															 import org.junit.Assert;
														
 
															 import org.junit.Before;
														
@@ -107,8 +108,8 @@ public class TestContainerStateManagerIntegration {
 
															   }
														
 
															   @Test
														
 
															-  public void testContainerStateManagerRestart()
														
 
															-      throws IOException, TimeoutException, InterruptedException {
														
 
															+  public void testContainerStateManagerRestart() throws IOException,
														
 
															+      TimeoutException, InterruptedException, AuthenticationException {
														
 
															     // Allocate 5 containers in ALLOCATED state and 5 in CREATING state
														
 
															     for (int i = 0; i < 10; i++) {
														
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneCluster.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneCluster.java
@@ -25,6 +25,7 @@ import org.apache.hadoop.ozone.client.OzoneClient;
 
															 import org.apache.hadoop.ozone.om.OzoneManager;
														
 
															 import org.apache.hadoop.hdds.scm.protocolPB
														
 
															     .StorageContainerLocationProtocolClientSideTranslatorPB;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															 import org.apache.hadoop.test.GenericTestUtils;
														
 
															 import java.io.IOException;
														
@@ -149,8 +150,7 @@ public interface MiniOzoneCluster {
 
															    * @throws TimeoutException
														
 
															    * @throws InterruptedException
														
 
															    */
														
 
															-  void restartStorageContainerManager() throws InterruptedException,
														
 
															-      TimeoutException, IOException;
														
 
															+  void restartStorageContainerManager() throws InterruptedException, TimeoutException, IOException, AuthenticationException;
														
 
															   /**
														
 
															    * Restarts OzoneManager instance.
														
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java
@@ -48,6 +48,7 @@ import org.apache.hadoop.hdds.scm.protocolPB
 
															 import org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolPB;
														
 
															 import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
														
 
															 import org.apache.hadoop.security.UserGroupInformation;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															 import org.apache.hadoop.test.GenericTestUtils;
														
 
															 import org.slf4j.Logger;
														
@@ -232,8 +233,8 @@ public final class MiniOzoneClusterImpl implements MiniOzoneCluster {
 
															   }
														
 
															   @Override
														
 
															-  public void restartStorageContainerManager()
														
 
															-      throws TimeoutException, InterruptedException, IOException {
														
 
															+  public void restartStorageContainerManager() throws TimeoutException,
														
 
															+      InterruptedException, IOException, AuthenticationException {
														
 
															     scm.stop();
														
 
															     scm.join();
														
 
															     scm = StorageContainerManager.createSCM(null, conf);
														
@@ -370,9 +371,16 @@ public final class MiniOzoneClusterImpl implements MiniOzoneCluster {
 
															     public MiniOzoneCluster build() throws IOException {
														
 
															       DefaultMetricsSystem.setMiniClusterMode(true);
														
 
															       initializeConfiguration();
														
 
															-      StorageContainerManager scm = createSCM();
														
 
															-      scm.start();
														
 
															-      OzoneManager om = createOM();
														
 
															+      StorageContainerManager scm;
														
 
															+      OzoneManager om;
														
 
															+      try {
														
 
															+        scm = createSCM();
														
 
															+        scm.start();
														
 
															+        om = createOM();
														
 
															+      } catch (AuthenticationException ex) {
														
 
															+        throw new IOException("Unable to build MiniOzoneCluster. ", ex);
														
 
															+      }
														
 
															+
														
 
															       om.start();
														
 
															       final List<HddsDatanodeService> hddsDatanodes = createHddsDatanodes(scm);
														
 
															       MiniOzoneClusterImpl cluster = new MiniOzoneClusterImpl(conf, om, scm,
														
@@ -424,7 +432,8 @@ public final class MiniOzoneClusterImpl implements MiniOzoneCluster {
 
															      *
														
 
															      * @throws IOException
														
 
															      */
														
 
															-    private StorageContainerManager createSCM() throws IOException {
														
 
															+    private StorageContainerManager createSCM()
														
 
															+        throws IOException, AuthenticationException {
														
 
															       configureSCM();
														
 
															       SCMStorage scmStore = new SCMStorage(conf);
														
 
															       initializeScmStorage(scmStore);
														
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -0,0 +1,205 @@
 
															+/**
														
 
															+ * Licensed to the Apache Software Foundation (ASF) under one
														
 
															+ * or more contributor license agreements.  See the NOTICE file
														
 
															+ * distributed with this work for additional information
														
 
															+ * regarding copyright ownership.  The ASF licenses this file
														
 
															+ * to you under the Apache License, Version 2.0 (the
														
 
															+ * "License"); you may not use this file except in compliance
														
 
															+ * with the License.  You may obtain a copy of the License at
														
 
															+ *
														
 
															+ * http://www.apache.org/licenses/LICENSE-2.0
														
 
															+ *
														
 
															+ * Unless required by applicable law or agreed to in writing, software
														
 
															+ * distributed under the License is distributed on an "AS IS" BASIS,
														
 
															+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
														
 
															+ * See the License for the specific language governing permissions and
														
 
															+ * limitations under the License.
														
 
															+ */
														
 
															+package org.apache.hadoop.ozone;
														
 
															+
														
 
															+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
														
 
															+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
														
 
															+
														
 
															+import java.io.File;
														
 
															+import java.io.IOException;
														
 
															+import java.nio.file.Path;
														
 
															+import java.nio.file.Paths;
														
 
															+import java.util.Properties;
														
 
															+import java.util.UUID;
														
 
															+import org.apache.hadoop.classification.InterfaceAudience;
														
 
															+import org.apache.hadoop.conf.Configuration;
														
 
															+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
														
 
															+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
														
 
															+import org.apache.hadoop.hdds.scm.ScmConfigKeys;
														
 
															+import org.apache.hadoop.hdds.scm.ScmInfo;
														
 
															+import org.apache.hadoop.hdds.scm.server.SCMStorage;
														
 
															+import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
														
 
															+import org.apache.hadoop.minikdc.MiniKdc;
														
 
															+import org.apache.hadoop.security.KerberosAuthException;
														
 
															+import org.apache.hadoop.security.UserGroupInformation;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															+import org.apache.hadoop.security.authentication.util.KerberosUtil;
														
 
															+import org.apache.hadoop.test.GenericTestUtils;
														
 
															+import org.apache.hadoop.test.LambdaTestUtils;
														
 
															+import org.junit.Assert;
														
 
															+import org.junit.Before;
														
 
															+import org.junit.Test;
														
 
															+import org.slf4j.Logger;
														
 
															+import org.slf4j.LoggerFactory;
														
 
															+
														
 
															+/**
														
 
															+ * Test class to for security enabled Ozone cluster.
														
 
															+ */
														
 
															+@InterfaceAudience.Private
														
 
															+public final class TestSecureOzoneCluster {
														
 
															+
														
 
															+  private Logger LOGGER = LoggerFactory
														
 
															+      .getLogger(TestSecureOzoneCluster.class);
														
 
															+
														
 
															+  private MiniKdc miniKdc;
														
 
															+  private OzoneConfiguration conf;
														
 
															+  private File workDir;
														
 
															+  private static Properties securityProperties;
														
 
															+  private File scmKeytab;
														
 
															+  private File spnegoKeytab;
														
 
															+  private String curUser;
														
 
															+
														
 
															+  @Before
														
 
															+  public void init() {
														
 
															+    try {
														
 
															+      conf = new OzoneConfiguration();
														
 
															+      startMiniKdc();
														
 
															+      setSecureConfig(conf);
														
 
															+      createCredentialsInKDC(conf, miniKdc);
														
 
															+    } catch (IOException e) {
														
 
															+      LOGGER.error("Failed to initialize TestSecureOzoneCluster", e);
														
 
															+    } catch (Exception e) {
														
 
															+      LOGGER.error("Failed to initialize TestSecureOzoneCluster", e);
														
 
															+    }
														
 
															+  }
														
 
															+
														
 
															+  private void createCredentialsInKDC(Configuration conf, MiniKdc miniKdc)
														
 
															+      throws Exception {
														
 
															+    createPrincipal(scmKeytab,
														
 
															+        conf.get(ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY));
														
 
															+    createPrincipal(spnegoKeytab,
														
 
															+        conf.get(ScmConfigKeys.SCM_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY));
														
 
															+  }
														
 
															+
														
 
															+  private void createPrincipal(File keytab, String... principal)
														
 
															+      throws Exception {
														
 
															+    miniKdc.createPrincipal(keytab, principal);
														
 
															+  }
														
 
															+
														
 
															+  private void startMiniKdc() throws Exception {
														
 
															+    workDir = GenericTestUtils
														
 
															+        .getTestDir(TestSecureOzoneCluster.class.getSimpleName());
														
 
															+    securityProperties = MiniKdc.createConf();
														
 
															+    miniKdc = new MiniKdc(securityProperties, workDir);
														
 
															+    miniKdc.start();
														
 
															+  }
														
 
															+
														
 
															+  private void setSecureConfig(Configuration conf) throws IOException {
														
 
															+    conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
														
 
															+    String host = KerberosUtil.getLocalHostName();
														
 
															+    String realm = miniKdc.getRealm();
														
 
															+    curUser = UserGroupInformation.getCurrentUser()
														
 
															+        .getUserName();
														
 
															+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
														
 
															+        "kerberos");
														
 
															+    conf.set(OZONE_ADMINISTRATORS, curUser);
														
 
															+
														
 
															+    conf.set(ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY,
														
 
															+        "scm/" + host + "@" + realm);
														
 
															+    conf.set(ScmConfigKeys.SCM_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
														
 
															+        "HTTP_SCM/" + host + "@" + realm);
														
 
															+
														
 
															+    scmKeytab = new File(workDir, "scm.keytab");
														
 
															+    spnegoKeytab = new File(workDir, "http.keytab");
														
 
															+
														
 
															+    conf.set(ScmConfigKeys.OZONE_SCM_KERBEROS_KEYTAB_FILE_KEY,
														
 
															+        scmKeytab.getAbsolutePath());
														
 
															+    conf.set(ScmConfigKeys.SCM_WEB_AUTHENTICATION_KERBEROS_KEYTAB_FILE_KEY,
														
 
															+        spnegoKeytab.getAbsolutePath());
														
 
															+
														
 
															+  }
														
 
															+
														
 
															+  @Test
														
 
															+  public void testSecureScmStartupSuccess() throws Exception {
														
 
															+    final String path = GenericTestUtils
														
 
															+        .getTempPath(UUID.randomUUID().toString());
														
 
															+    Path scmPath = Paths.get(path, "scm-meta");
														
 
															+    conf.set(OzoneConfigKeys.OZONE_METADATA_DIRS, scmPath.toString());
														
 
															+    conf.setBoolean(OzoneConfigKeys.OZONE_ENABLED, true);
														
 
															+    SCMStorage scmStore = new SCMStorage(conf);
														
 
															+    String clusterId = UUID.randomUUID().toString();
														
 
															+    String scmId = UUID.randomUUID().toString();
														
 
															+    scmStore.setClusterId(clusterId);
														
 
															+    scmStore.setScmId(scmId);
														
 
															+    // writes the version file properties
														
 
															+    scmStore.initialize();
														
 
															+    StorageContainerManager scm = StorageContainerManager.createSCM(null, conf);
														
 
															+    //Reads the SCM Info from SCM instance
														
 
															+    ScmInfo scmInfo = scm.getClientProtocolServer().getScmInfo();
														
 
															+    Assert.assertEquals(clusterId, scmInfo.getClusterId());
														
 
															+    Assert.assertEquals(scmId, scmInfo.getScmId());
														
 
															+  }
														
 
															+
														
 
															+  @Test
														
 
															+  public void testSecureScmStartupFailure() throws Exception {
														
 
															+    final String path = GenericTestUtils
														
 
															+        .getTempPath(UUID.randomUUID().toString());
														
 
															+    Path scmPath = Paths.get(path, "scm-meta");
														
 
															+
														
 
															+    OzoneConfiguration conf = new OzoneConfiguration();
														
 
															+    conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
														
 
															+    conf.set(OzoneConfigKeys.OZONE_METADATA_DIRS, scmPath.toString());
														
 
															+    conf.setBoolean(OzoneConfigKeys.OZONE_ENABLED, true);
														
 
															+    conf.set(ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY,
														
 
															+        "scm@" + miniKdc.getRealm());
														
 
															+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
														
 
															+        "kerberos");
														
 
															+
														
 
															+    SCMStorage scmStore = new SCMStorage(conf);
														
 
															+    String clusterId = UUID.randomUUID().toString();
														
 
															+    String scmId = UUID.randomUUID().toString();
														
 
															+    scmStore.setClusterId(clusterId);
														
 
															+    scmStore.setScmId(scmId);
														
 
															+    // writes the version file properties
														
 
															+    scmStore.initialize();
														
 
															+    LambdaTestUtils.intercept(IOException.class,
														
 
															+        "Running in secure mode, but config doesn't have a keytab",
														
 
															+        () -> {
														
 
															+          StorageContainerManager.createSCM(null, conf);
														
 
															+        });
														
 
															+
														
 
															+    conf.set(ScmConfigKeys.OZONE_SCM_KERBEROS_PRINCIPAL_KEY,
														
 
															+        "scm/_HOST@EXAMPLE.com");
														
 
															+    conf.set(ScmConfigKeys.OZONE_SCM_KERBEROS_KEYTAB_FILE_KEY,
														
 
															+        "/etc/security/keytabs/scm.keytab");
														
 
															+
														
 
															+    LambdaTestUtils.intercept(KerberosAuthException.class, "failure "
														
 
															+            + "to login: for principal:",
														
 
															+        () -> {
														
 
															+          StorageContainerManager.createSCM(null, conf);
														
 
															+        });
														
 
															+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
														
 
															+        "OAuth2");
														
 
															+
														
 
															+    LambdaTestUtils.intercept(IllegalArgumentException.class, "Invalid"
														
 
															+            + " attribute value for hadoop.security.authentication of OAuth2",
														
 
															+        () -> {
														
 
															+          StorageContainerManager.createSCM(null, conf);
														
 
															+        });
														
 
															+
														
 
															+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
														
 
															+        "KERBEROS_SSL");
														
 
															+    LambdaTestUtils.intercept(AuthenticationException.class,
														
 
															+        "KERBEROS_SSL authentication method not support.",
														
 
															+        () -> {
														
 
															+          StorageContainerManager.createSCM(null, conf);
														
 
															+        });
														
 
															+
														
 
															+  }
														
 
															+
														
 
															+}
														
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java
@@ -59,8 +59,10 @@ import org.apache.hadoop.ozone.om.helpers.OmKeyInfo;
 
															 import org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfo;
														
 
															 import org.apache.hadoop.ozone.protocol.commands.DeleteBlocksCommand;
														
 
															 import org.apache.hadoop.ozone.protocol.commands.SCMCommand;
														
 
															+import org.apache.hadoop.security.authentication.client.AuthenticationException;
														
 
															 import org.apache.hadoop.test.GenericTestUtils;
														
 
															 import org.apache.hadoop.util.ExitUtil;
														
 
															+
														
 
															 import org.junit.Assert;
														
 
															 import org.junit.Rule;
														
 
															 import org.junit.Test;
														
@@ -426,7 +428,8 @@ public class TestStorageContainerManager {
 
															   }
														
 
															   @Test
														
 
															-  public void testSCMInitializationFailure() throws IOException {
														
 
															+  public void testSCMInitializationFailure()
														
 
															+      throws IOException, AuthenticationException {
														
 
															     OzoneConfiguration conf = new OzoneConfiguration();
														
 
															     final String path =
														
 
															         GenericTestUtils.getTempPath(UUID.randomUUID().toString());
														
@@ -439,7 +442,8 @@ public class TestStorageContainerManager {
 
															   }
														
 
															   @Test
														
 
															-  public void testSCMInitializationReturnCode() throws IOException {
														
 
															+  public void testSCMInitializationReturnCode() throws IOException,
														
 
															+      AuthenticationException {
														
 
															     ExitUtil.disableSystemExit();
														
 
															     OzoneConfiguration conf = new OzoneConfiguration();
														
 
															     conf.setBoolean(OzoneConfigKeys.OZONE_ENABLED, true);