ZooKeeper ACLs Best Practices
Permissions for Secure Clusters
Introduction
As more and more components begin to rely on ZooKeeper within a Hadoop cluster, there are various permissions that need to be maintained to ensure the integrity and security of the znodes. These permissions are different from component to component.
Some components only use ZooKeeper when they are running in their component specific HA mode. Others have separate secure and unsecure ACLs defined and switch between which to enforce based on the component knowledge of whether the cluster is secured or not.
In general, it seems that the ACLs are pretty open and assume an unsecure cluster by default. These permissions need to be hardened for secure clusters in order to avoid inappropriate access or modification of this critical platform state.
This paper collects the required steps for tightening the ZooKeeper ACLs/permissions when provisioning a secure cluster to be used as a best practices guideline for ops and security management.
Unaffected Components
The following components require no action:
Ambari
ZooKeeper Usage: Ambari does not use ZooKeeper; however it does install, configure, and manage it so that services running on the cluster can use it.
Default ACLs: None. Ambari does not create or use any znodes.
Security Best Practice ACLs/Permissions and Required Steps: None. Ambari does not create or use any znodes.
Calcite
DataFu
Falcon
Flume
HDP Flume currently does not depend upon ZooKeeper for any of its core operations. However, ZooKeeper is used by the HBase or Kafka connectors, as the respective client libraries need them.
There are no pre-created (i.e at install time) znodes that it depends upon.
Hue
Knox
Mahout
MapReduce
Phoenix
ZooKeeper Usage: Phoenix does not use ZooKeeper on its own. All usages are covered in the HBase section.
Security Best Practice ACLs/Permissions and Required Steps: None. HBase correctly protects all ZNodes in ZooKeeper automatically.
Pig
Spark
Sqoop
Stargate/HBase RestServer
No ZooKeeper usage outside of normal HBase client usage.
Tez
Zeppelin