(Optional) Securing ZooKeeper with Kerberos

« Prev

	Note
	Before starting the following steps, refer to Setting Up Kerberos Security for Manual Installs.

(Optional) To secure ZooKeeper with Kerberos, perform the following steps on the host that runs KDC (Kerberos Key Distribution Center):

Start the kadmin.local utility:
/usr/sbin/kadmin.local
Create a principal for ZooKeeper:
sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'
Create a keytab for ZooKeeper:
sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"
Copy the keytab to all ZooKeeper nodes in the cluster.
Note
Verify that only the ZooKeeper and Storm operating system users can access the ZooKeeper keytab.

Administrators must add the following properties to the zoo.cfg configuration file located at /etc/zookeeper/conf:

authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal = true
kerberos.removeRealmFromPrincipal = true

Note

Grant the zookeeper user shell access on Ubuntu and Debian.

usermod -s /bin/bash zookeeper

	Note
	Verify that only the ZooKeeper and Storm operating system users can access the ZooKeeper keytab.

​(Optional) Securing ZooKeeper with Kerberos

(Optional) Securing ZooKeeper with Kerberos