Non-Ambari Cluster Installation Guide
Also available as:
PDF
loading table of contents...

Securing ZooKeeper with Kerberos (optional)

[Note]Note

Before starting the following steps, refer to Setting up Security for Manual Installs.

(Optional) To secure ZooKeeper with Kerberos, perform the following steps on the host that runs KDC (Kerberos Key Distribution Center):

  1. Start the kadmin.local utility:

    /usr/sbin/kadmin.local

  2. Create a principal for ZooKeeper:

    sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'

  3. Create a keytab for ZooKeeper:

    sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"

  4. Copy the keytab to all ZooKeeper nodes in the cluster.

    [Note]Note

    Verify that only the ZooKeeper and Storm operating system users can access the ZooKeeper keytab.

  5. Administrators must add the following properties to the zoo.cfg configuration file located at /etc/zookeeper/conf:

    authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    kerberos.removeHostFromPrincipal = true
    kerberos.removeRealmFromPrincipal = true
[Note]Note

Grant the zookeeper user shell access on Ubuntu and Debian.

usermod -s /bin/bash zookeeper