Known Issues in Apache ZooKeeper

This topic describes known issues and workarounds for using Zeppelin in this release of Cloudera Runtime.

Zookeeper-client does not use ZooKeeper TLS/SSL automatically

The command-line tool ‘zookeeper-client’ is installed to all Cloudera Nodes and it can be used to start the default Java command line ZooKeeper client. However even when ZooKeeper TLS/SSL is enabled, the zookeeper-client command connects to localhost:2181, without using TLS/SSL.

Workaround:
Manually configure the 2182 port, when zookeeper-client connects to a ZooKeeper cluster.The following is an example of connecting to a specific three-node ZooKeeper cluster using TLS/SSL:
CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=<path to your configured keystore> -Dzookeeper.ssl.keyStore.password=<the password you configured for the keystore>  -Dzookeeper.ssl.trustStore.location=<path to your configured truststore> -Dzookeeper.ssl.trustStore.password=<the password you configured for the truststore> -Dzookeeper.client.secure=true" zookeeper-client -server <your.zookeeper.server-1>:2182,<your.zookeeper.server-2>:2182,<your.zookeeper.server-3>:2182
ZooKeeper cluster can be slow to start if QuorumSSL is enabled without QuorumSASL

QuorumSSL (Secure ZooKeeper) is enabled by default if AutoTLS is enabled. If QuorumSSL is enabled without QuorumSASL (Server to server SASL authentication), then the ZooKeeper cluster can be slow to start due to some known ZooKeeper limitations.

Workaround:
Ensure, that QuorumSSL is enabled only if QuorumSASL is also enabled:
  1. In Cloudera Manager, select the ZooKeeper service.
  2. Click the Configuration tab.
  3. Search for SSL.
  4. Find and use the Enable TLS/SSL for ZooKeeper property to enable QuorumSSL.
  5. Search for SASL.
  6. Find and use the Enable Server to Server SASL Authentication propety to enable QuorumSASL.
  7. Click Save Changes.