This topic describes known issues and workarounds for using Zeppelin in this release of
Cloudera Runtime.
- Zookeeper-client does not use ZooKeeper TLS/SSL automatically
-
The command-line tool ‘zookeeper-client’ is installed to all Cloudera Nodes and it can
be used to start the default Java command line ZooKeeper client. However even when
ZooKeeper TLS/SSL is enabled, the zookeeper-client command connects to localhost:2181,
without using TLS/SSL.
- Workaround:
Manually configure the 2182 port, when zookeeper-client connects to a ZooKeeper
cluster.The following is an example of connecting to a specific three-node ZooKeeper
cluster using TLS/SSL:
CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=<path to your configured keystore> -Dzookeeper.ssl.keyStore.password=<the password you configured for the keystore> -Dzookeeper.ssl.trustStore.location=<path to your configured truststore> -Dzookeeper.ssl.trustStore.password=<the password you configured for the truststore> -Dzookeeper.client.secure=true" zookeeper-client -server <your.zookeeper.server-1>:2182,<your.zookeeper.server-2>:2182,<your.zookeeper.server-3>:2182
- ZooKeeper cluster can be slow to start if QuorumSSL is enabled without QuorumSASL
-
QuorumSSL (Secure ZooKeeper) is enabled by default if AutoTLS is enabled. If QuorumSSL
is enabled without QuorumSASL (Server to server SASL authentication), then the ZooKeeper
cluster can be slow to start due to some known ZooKeeper limitations.
- Workaround:
Ensure, that QuorumSSL is enabled only if QuorumSASL is also
enabled:
- In Cloudera Manager, select the ZooKeeper service.
- Click the Configuration tab.
- Search for SSL.
- Find and use the Enable TLS/SSL for ZooKeeper property to
enable QuorumSSL.
- Search for SASL.
- Find and use the Enable Server to Server SASL
Authentication propety to enable QuorumSASL.
- Click Save Changes.
