ZooKeeper ACLs Best Practices: HDFS

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HDFS when provisioning a secure cluster.

  • ZooKeeper Usage:
    • hadoop-ha - hdfs zkfc automatic NameNode failover

  • Default ACLs:

    • hadoop-ha - world: anyone:cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:

    • hadoop-ha - sasl: nn:cdrwa

  • For secured clusters, the recommended ACL is sasl:nn:rwcda. To set this, perform the following steps:
    1. Set ha.zookeeper.acl to sasl:nn:rwcda as an advanced configuration snippet using Cloudera Manager.

      Configure the value from HDFS > Configuration > Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml.

    2. Set HADOOP_ZKFC_OPTS as an advanced configuration snippet using Cloudera Manager.

      Add the following value from HDFS > Configuration > HDFS Replication Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh:
      Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS}
    3. On both the NameNodes, create /etc/hadoop/conf/hdfs_jaas.conf as the root user with the following contents:
      Client {         	
              com.sun.security.auth.module.Krb5LoginModule required
      nn/<HOST>@EXAMPLE.COM must be changed to the actual hostname and realm; for example, nn/c6401.cloudera.com@EXAMPLE.COM. To get the actual principal, on both the NameNodes, run the following command as an hdfs user: klist -k /etc/security/keytabs/nn.service.keytab.
    4. Stop the two ZKFCs.

    5. On one of NameNodes, run the command as an hdfs user: hdfs zkfc -formatZK -force.

    6. Start the two ZKFCs.

    One of two NameNodes might be stopped in the process, or the standby NameNode might transition to active. Start the stopped NameNode, if any.