ZooKeeper ACLs Best Practices: Ranger KMS/Hadoop KMS
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Ranger KMS/Hadoop KMS when provisioning a secure cluster.
-
ZooKeeper Usage:
-
If multiple instances of KMS are configured, both Ranger KMS and Hadoop KMS use zookeeper znode /hadoop-kms to store HTTP cookie signature secret. See “Http Authentication Signature” section here.
/hadoop-kms
-<HTTP cookie signature secret>
-
-
Default ACLs:
-
/hadoop-kms
-world:anyone:cdrwa
-
-
Security Best Practice ACLs/Permissions and Required Steps:
-
/hadoop-kms
-sasl:rangerkms:cdrwa
-
Ranger KMS uses the user
rangerkms
. Only KMS needs access to this znode. This path (hadoop.kms.authentication.signer.secret.provider.zookeeper.path
) can be configured in Ambari for Ranger KMS. Set the ACL using these steps:-
SSH to the cluster where Ranger KMS is present.
-
Go to
/usr/hdp/<version>/zookeeper/bin
-
Run
./zkCli.sh -server <FQDN of Ranger KMS host>:2181”
-
After it connects, run:
ls /
-
Verify there is a folder as specified in
hadoop.kms.authentication.signer.secret.provider.zookeeper.path
property of Ranger KMS configuration. -
Execute
getAcl /hadoop-kms
and if the permission is forworld
,anyone: cdrwa
, restrict the permission tosasl:rangerkms:cdrwa
using this command:setAcl /hadoop-kms sasl:rangerkms:cdrwa
. -
Repeat the above step for all the clusters where Ranger KMS is installed.
[zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 0] getAcl /hadoop-kms 'world,'anyone : cdrwa [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 4] setAcl /hadoop-kms sasl:rangerkms:cdrwa cZxid = 0x20000001e ctime = Tue Jun 07 12:22:58 UTC 2016 mZxid = 0x20000001e mtime = Tue Jun 07 12:22:58 UTC 2016 pZxid = 0x20000001f cversion = 1 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 0 numChildren = 1 [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 5] getAcl /hadoop-kms 'sasl,'rangerkms : cdrwa [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 6]
-
-