ZooKeeper Authentication
This section describes how to configure ZooKeeper in CDH 5 to enable Kerberos security:
Configuring ZooKeeper Server for Kerberos Authentication
You can configure the ZooKeeper server for Kerberos authentication in Cloudera Manager or through the command line.
Using Cloudera Manager to Configure ZooKeeper Server for Kerberos Authentication
To set up the ZooKeeper server for Kerberos authentication in Cloudera Manager, complete the following steps:
- In Cloudera Manager, open the ZooKeeper service.
- Click the Configuration tab.
- Enter Kerberos in the in the Search bar.
- Find the Enable Kerberos Authentication property and select the check-box next to the ZooKeeper services that you want to configure for Kerberos authentication.
Using the Command Line to Configure ZooKeeper Server for Kerberos Authentication
Follow the steps below for each ZooKeeper server in the ensemble. To maintain consistency across ZooKeeper servers in the ensemble, use the same name for the keytab file you deploy to each server, for example, zookeeper.keytab. Each keytab file will contain its respective host's fully-qualified domain name (FQDN).
- Create a service principal for the ZooKeeper server using the fully-qualified domain name (FQDN) of the host on which ZooKeeper server is running and the name of your Kerberos realm
using the pattern zookeeper/fqdn.example.com@ YOUR-REALM. This principal will be used to
authenticate the ZooKeeper server with the Hadoop cluster. Create this service principal as follows:
kadmin: addprinc -randkey zookeeper/fqdn.example.com@YOUR-REALM
- Create a keytab file for the ZooKeeper server:
$ kadmin kadmin: xst -k zookeeper.keytab zookeeper/fqdn.example.com@YOUR-REALM
- Copy the zookeeper.keytab file to the ZooKeeper configuration directory on the ZooKeeper server host, using the appropriate ZooKeeper configuration directory: /etc/zookeeper/conf/. The zookeeper.keytab file should be owned by the zookeeper user, with owner-only read permissions.
- Add the following lines to the ZooKeeper configuration file zoo.cfg:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000
- Set up the Java Authentication and
Authorization Service (JAAS) by creating a jaas.conf file in the ZooKeeper configuration directory with the settings shown below, replacing fqdn.example.com with the ZooKeeper server's hostname.
Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/zookeeper/conf/zookeeper.keytab" storeKey=true useTicketCache=false principal="zookeeper/fqdn.example.com @YOUR-REALM"; };
- Add the following setting to the java.env file located in the ZooKeeper configuration directory, creating the file if necessary:
export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
- Repeat these steps for each ZooKeeper server in the ensemble.
- Restart the ZooKeeper server to have the configuration changes take effect. See ZooKeeper Installation for details.
Configuring the ZooKeeper Client Shell to Support Kerberos Security
- If you want to use the ZooKeeper client shell zookeeper-client with Kerberos authentication, create a principal using the syntax: zkcli@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper client shell to the ZooKeeper service. where: YOUR-REALM is the name
of your Kerberos realm.
kadmin: addprinc -randkey zkcli@YOUR-REALM.COM
- Create a keytab file for the ZooKeeper client shell.
$ kadmin kadmin: xst -norandkey -k zkcli.keytab zkcli@YOUR-REALM.COM
- Set up JAAS in the configuration directory on the host where the ZooKeeper client shell is running. For a package installation, the configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the configuration directory is <EXPANDED_DIR>/conf. Create a jaas.conf file containing the following settings:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/zkcli.keytab" storeKey=true useTicketCache=false principal="zkcli@<YOUR-REALM>"; };
- Add the following setting to the java.env file located in the configuration directory. (Create the file if it does not already exist.)
export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
Verifying the Configuration
- Make sure that you have restarted the ZooKeeper cluster with Kerberos enabled, as described above.
- Start the client (where the hostname is the name of a ZooKeeper server):
zookeeper-client -server hostname:port
- Create a protected znode from within the ZooKeeper CLI. Make sure that you substitute YOUR-REALM as appropriate.
create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra
- Verify the znode is created and the ACL is set correctly:
getAcl /znode1
The results from getAcl should show that the proper scheme and permissions were applied to the znode.