Securing ZooKeeper with Kerberos (optional)
(Optional) To secure ZooKeeper with Kerberos, perform the following steps on the host that runs KDC (Kerberos Key Distribution Center):
Start the kadmin.local utility:
/usr/sbin/kadmin.local
Create a principal for ZooKeeper:
sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'
Create a keytab for ZooKeeper:
sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"
Copy the keytab to all ZooKeeper nodes in the cluster.
Note Verify that only the ZooKeeper and Storm operating system users can access the ZooKeeper keytab.
Administrators must add the following properties to the zoo.cfg configuration file located at
/etc/zookeeper/conf
:authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider kerberos.removeHostFromPrincipal = true kerberos.removeRealmFromPrincipal = true
Note | |
---|---|
Grant the zookeeper user shell access on Ubuntu and Debian.
|