ZooKeeper ACLs Best Practices: HDFS/WebHDFS
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HDFS/WebHDFS when provisioning a secure cluster.
-
ZooKeeper Usage:
-
hadoop-ha-hdfs zkfc automatic NameNode failover
-
-
Default ACLs:
-
hadoop-ha-world: anyone:cdrwa
-
-
Security Best Practice ACLs/Permissions and Required Steps:
-
hadoop-ha-sasl: nn:cdrwa
-
-
Existing SmartSense rule recommends ACL of
sasl:nn:rwcdafor secured clusters. To set this:-
Set
ha.zookeeper.acltosasl:nn:rwcda:-
Using Ambari:
Add
ha.zookeeper.aclwith valuesasl:nn:rwcdain Configs>Advanced>Custom core-site. -
Manually:
Add this to core-site. xml as root user:<property> <name>ha.zookeeper.acl</name> <value>sasl:nn:rwcda</value> </property>
-
-
Add this HADOOP_ZKFC_OPTS export:
-
Using Ambari:
In Configs > Advanced > Advanced hadoop-env > hadoop-env template, add the following:export HADOOP_ZKFC_OPTS="Dzookeeper.sasl.client=true Dzookeeper.sasl.client.username=zookeeper Djava.security.auth.login.config=/etc/hadoop/conf/hdfs_jaas.conf Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS}" -
Manually:
Add this to hadoop-env.sh as root user:export HADOOP_ZKFC_OPTS="Dzookeeper.sasl.client=true Dzookeeper.sasl.client.username=zookeeper Djava.security.auth.login.config=/etc/hadoop/conf/hdfs_jaas.conf Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS}"
-
-
On two Namenodes, create /etc/hadoop/conf/hdfs_jaas.conf as root user with the following contents:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/nn.service.keytab" principal="nn/<HOST>@EXAMPLE.COM"; };nn/<HOST>@EXAMPLE.COMmust be changed to the actual hostname and realm, e.g.nn/c6401.ambari.apache.org@EXAMPLE.COM. To get actual principal, on two Namenodes, run the command as hdfs user:klist -k /etc/security/keytabs/nn.service.keytab. -
Stop the two ZKFCs.
-
On one of Namenodes, run the command as hdfs user:
hdfs zkfc -formatZK -force. -
Start the two ZKFCs.
-