Configure ZooKeeper client shell for Kerberos authentication

In addition to configuring ZooKeeper Server hosts to use Kerberos for authentication, you must configure the ZooKeeper client shell to authenticate to the ZooKeeper service using Kerberos credentials.

As with the ZooKeeper Server, you must create a Kerberos principal for the client.

  1. Create a Kerberos principal for the zookeeper-client, zkcli@YOUR-REALM.
    Replace YOUR-REALM with the name of your organization's Kerberos realm:
    kadmin: addprinc -randkey zkcli@YOUR-REALM
  2. Create a keytab file for the ZooKeeper client shell using the -norandkey option.

    Not all versions of kadmin support the -norandkey option, in which case, simply omit this option from the command. Using the kadmin command without the -norandkey option invalidates previously exported keytabs and generates a new password.

    $ kadmin
    kadmin: xst -norandkey -k zkcli.keytab zkcli@YOUR-REALM
  3. Set up JAAS (Java Authentication and Authorization Service) in the configuration directory /etc/zookeeper/conf/, on the host running the ZooKeeper client shell.
  4. Create a jaas.conf file containing the following settings:
    Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/path/to/zkcli.keytab"
      storeKey=true
      useTicketCache=false
      principal="zkcli@YOUR-REALM";
    };
  5. Add the following setting to the java.env file, in the same configuration directory:
    export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
    

    If necessary, create the file.