In addition to configuring ZooKeeper Server hosts to use Kerberos for authentication,
you must configure the ZooKeeper client shell to authenticate to the ZooKeeper service using
Kerberos credentials.
As with the ZooKeeper Server, you must create a Kerberos principal for the
client.
-
Create a Kerberos principal for the
zookeeper-client,
zkcli@YOUR-REALM.
Replace
YOUR-REALM with the name of your organization's
Kerberos
realm:
kadmin: addprinc -randkey zkcli@YOUR-REALM
-
Create a keytab file for the ZooKeeper client shell using the
-norandkey option.
Not all versions of kadmin support the
-norandkey option, in which case, simply omit this
option from the command. Using the kadmin command without
the -norandkey option invalidates previously exported
keytabs and generates a new password.
$ kadmin
kadmin: xst -norandkey -k zkcli.keytab zkcli@YOUR-REALM
-
Set up JAAS (Java Authentication and Authorization
Service) in the configuration directory
/etc/zookeeper/conf/, on the host running the ZooKeeper
client shell.
-
Create a
jaas.conf file containing the following
settings:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/to/zkcli.keytab"
storeKey=true
useTicketCache=false
principal="zkcli@YOUR-REALM";
};
-
Add the following setting to the
java.env file, in the same
configuration directory:
export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
If necessary, create the file.
