- Authors
- Name
Overview
ZooKeeperにKerberosセキュリティを適用する方法を解説します。
Configurationの変更
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/var/zookeeper
# the port at which the clients will connect
clientPort=2181
server.1=hadoop1.mysite.com:2888:3888
server.2=hadoop2.mysite.com:2888:3888
server.3=hadoop3.mysite.com:2888:3888
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
#autopurge.purgeInterval=1
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumLearner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
export JVMFLAGS="-Djava.security.auth.login.config=${JAAS_CONF_PATH}"
ZooKeeperの再起動
上記のように設定を変更した後、ZooKeeperを再起動するとセキュアに動作するようになります。