This was found during integration testing where the http authentication is enabled but anonymous can still access the ozone http web console like scm:9876 or om:9874. This can be reproed with the following configurations added to the ozonesecure docker-compose.
After debugging into the KerberosAuthenticationFilter, the root cause is the name of the keytab does not follow the AuthenticationFilter tradition. The fix is to change
hdds.scm.http.kerberos.keytab.file to hdds.scm.http.kerberos.keytab and
hdds.om.http.kerberos.keytab.file to hdds.om.http.kerberos.keytab
I will also add an integration test for this under ozonesecure docker-compose.