ZooKeeper Configuration
Note | |
---|---|
The steps in this section only need to be performed once for the HDP cluster. If this task has been done to secure HBase for example, then there is no need to repeat these ZooKeeper steps if the YARN cluster uses the same ZooKeeper server. |
Create a keytab for ZooKeeper called
zookeeper.service.keytab
and save it to/etc/security/keytabs
.sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/ <ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"
Add the following to the
zoo.cfg
file:authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true
Create the
zookeeper_client_jaas.conf
file.Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true; };
Create the
zookeeper_jaas.conf
file.Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="$PATH_TO_ZOOKEEPER_KEYTAB" (such as"/etc/security/keytabs/zookeeper.service.keytab") principal="zookeeper/$HOST"; (such as "zookeeper/xuan-sec-yarn-ha-2.novalocal@SCL42.HORTONWORKS.COM";) };
Add the following information to
zookeeper-env-sh
:export CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf" export SERVER_JVMFLAGS="-Xmx1024m -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_jaas.conf"