- Authors
- Name
Overview
Let's learn how to apply Kerberos security to ZooKeeper.
Changing Configuration
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/var/zookeeper
# the port at which the clients will connect
clientPort=2181
server.1=hadoop1.mysite.com:2888:3888
server.2=hadoop2.mysite.com:2888:3888
server.3=hadoop3.mysite.com:2888:3888
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
#autopurge.purgeInterval=1
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumLearner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
export JVMFLAGS="-Djava.security.auth.login.config=${JAAS_CONF_PATH}"
Restarting ZooKeeper
After changing the configuration as described above, restarting ZooKeeper will make it run securely.