Cloudera Docs

Verify the ZooKeeper authentication

After enabling Kerberos authentication and restarting the ZooKeeper cluster, you can verify that the ZooKeeper authentication is working correctly.

  1. Start the ZooKeeper client, passing to it the name of a ZooKeeper server: 
    zookeeper-client -server fqdn.example.com:port
  2. From the ZooKeeper CLI, create a protected znode using your ZooKeeper client principal. 
    create /znode1 znode1data sasl:zkcli:cdwra
    Cloudera Manager by default maps the Kerberos principal to its short name by setting two parameters in ZooKeeper's service configuration file zoo.cfg: 
    kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true

    With the help of above settings, for example, the client principal zkcli/myhost@EXAMPLE.COM will be authenticated in ZooKeeper as zkcli.

  3. Verify the znode created and the ACL is set correctly: 
    getAcl/znode1
    The getAcl command returns the znode's scheme and permission values.
  4. Verify that the znode's scheme and permissions values are as expected.