← Back to Post
Split View: Secured(Kerberized) Zookeeper 구축하기.
|
Secured(Kerberized) Zookeeper 구축하기.
Overview
Zookeeper에 Kerberos 보안을 적용하는 방법을 알아본다.
Confiuration 변경
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/var/zookeeper
# the port at which the clients will connect
clientPort=2181
server.1=hadoop1.mysite.com:2888:3888
server.2=hadoop2.mysite.com:2888:3888
server.3=hadoop3.mysite.com:2888:3888
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
#autopurge.purgeInterval=1
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumLearner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
export JVMFLAGS="-Djava.security.auth.login.config=${JAAS_CONF_PATH}"
Zookeeper 재시작
위 처럼 설정을 변경한 뒤, zookeeper를 재시작하게되면 zookeeper가 secure하게 구동된다.
Building a Secured (Kerberized) ZooKeeper Cluster
Overview
Let's learn how to apply Kerberos security to ZooKeeper.
Changing Configuration
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/var/zookeeper
# the port at which the clients will connect
clientPort=2181
server.1=hadoop1.mysite.com:2888:3888
server.2=hadoop2.mysite.com:2888:3888
server.3=hadoop3.mysite.com:2888:3888
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
#autopurge.purgeInterval=1
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumLearner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
export JVMFLAGS="-Djava.security.auth.login.config=${JAAS_CONF_PATH}"
Restarting ZooKeeper
After changing the configuration as described above, restarting ZooKeeper will make it run securely.
Quiz
Q1: What is the main topic covered in "Building a Secured (Kerberized) ZooKeeper Cluster"?
Learn how to apply Kerberos security to ZooKeeper.
Q2: What are the key takeaways from this article?
Learn how to apply Kerberos security to ZooKeeper.
Q3: How can the concepts in this article be applied in practice?
Consider the practical examples and patterns discussed throughout the post.