Command Line Installation
Also available as:
loading table of contents...

Securing ZooKeeper with Kerberos (optional)


Before starting the following steps, refer to Setting up Security for Manual Installs.

(Optional) To secure ZooKeeper with Kerberos, perform the following steps on the host that runs KDC (Kerberos Key Distribution Center):

  1. Start the kadmin.local utility:


  2. Create a principal for ZooKeeper:

    sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'

  3. Create a keytab for ZooKeeper:

    sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"

  4. Copy the keytab to all ZooKeeper nodes in the cluster.


    Verify that only the ZooKeeper and Storm operating system users can access the ZooKeeper keytab.

  5. Administrators must add the following properties to the zoo.cfg configuration file located at /etc/zookeeper/conf:

    authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    kerberos.removeHostFromPrincipal = true
    kerberos.removeRealmFromPrincipal = true

Grant the zookeeper user shell access on Ubuntu and Debian.

usermod -s /bin/bash zookeeper