Discuss New Concept,New Technic,New Tools, Including EAI,BPM,SOA,Tibco,IBM MQ,Tuxedo, Cloud,Hadoop,NoSQL,J2EE,Ruby,Scala,Python, Performance,Scalability,Distributed,HA, Social Network,Machine Learning.

November 24, 2012  Tagged with: , ,

orignal:https://ccp.cloudera.com/display/CDH4DOC/ZooKeeper+Security+Configuration

This section describes how to configure ZooKeeper in CDH4 to enable Kerberos security.

 Important Prior to enabling ZooKeeper to work with Kerberos security on your cluster, make sure you first review the requirements in Configuring Hadoop Security in CDH4.

## Configuring the ZooKeeper Server to Support Kerberos Security

 Note It is strongly recommended that you ensure a properly functioning ZooKeeper ensemble prior to enabling security. See ZooKeeper Installation.
1. Create a service principal for the ZooKeeper server using the syntax:zookeeper/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper server with the Hadoop cluster.

where:
fully.qualified.domain.name is the host where the ZooKeeper server is running
YOUR-REALM is the name of your Kerberos realm

 kadmin: addprinc -randkey zookeeper/fully.qualified.domain.name@YOUR-REALM.COM
2. Create a keytab file for the ZooKeeper server.
 \$ kadmin kadmin: xst -k zookeeper.keytab zookeeper/fully.qualified.domain.name
3. Copy the zookeeper.keytab file to the ZooKeeper configuration directory on the ZooKeeper server host. For a package installation, the ZooKeeper configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the ZooKeeper configuration directory is <EXPANDED_DIR>/conf. The owner of thezookeeper.keytab file should be the zookeeper user and the file should have owner-only read permissions.
4. Add the following lines to the ZooKeeper configuration file zoo.cfg:
 authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000
5. Set up the Java Authentication and Authorization Service (JAAS) by creating a jaas.conf file in the ZooKeeper configuration directory containing the following settings. Make sure that you substitutefully.qualified.domain.name as appropriate.
 Server {   com.sun.security.auth.module.Krb5LoginModule required   useKeyTab=true   keyTab="/etc/zookeeper/conf/zookeeper.keytab"   storeKey=true   useTicketCache=false   principal="zookeeper/fully.qualified.domain.name@"; };
6. Add the following setting to the java.env file located in the ZooKeeper configuration directory. (Create the file if it does not already exist.)
 export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
7. If you have multiple ZooKeeper servers in the ensemble, repeat steps 1 through 6 above for each ZooKeeper server. When you create each new Zookeeper Server keytab file in step 2, you can overwrite the previous keytab file and use the same name (zookeeper.keytab) to maintain consistency across the ZooKeeper servers in the ensemble. The difference in the keytab files will be the hostname where each server is running.
8. Restart the ZooKeeper server to have the configuration changes take effect. For instructions, see ZooKeeper Installation.

## Configuring the ZooKeeper Client Shell to Support Kerberos Security

1. If you want to use the ZooKeeper client shell zookeeper-client with Kerberos authentication, create a principal using the syntax: zkcli@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper client shell to the ZooKeeper service.

where:
YOUR-REALM is the name of your Kerberos realm

 kadmin: addprinc -randkey zkcli@YOUR-REALM.COM
2. Set up JAAS in the configuration directory on the host where the ZooKeeper client shell is running. For a package installation, the configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the configuration directory is <EXPANDED_DIR>/conf. Create a jaas.conf file containing the following settings:
 Client {   com.sun.security.auth.module.Krb5LoginModule required   useKeyTab=false   principal="zkcli"   useTicketCache=true   debug=true; };
3. Add the following setting to the java.env file located in the configuration directory. (Create the file if it does not already exist.)
 export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"

## Verifying the Configuration

1. Make sure that you have restarted the ZooKeeper cluster with Kerberos enabled, as described above.
2. On the command line, obtain a Kerberos ticket:
 kinit zkcli kinit -R
3. Start the client (where the hostname is the name of a ZooKeeper server):
 zookeeper-client -server hostname:port
4. Create a protected znode from within the ZooKeeper CLI. Make sure that you substitute YOUR-REALM as appropriate.
 create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra
5. Verify the znode is created and the ACL is set correctly:
 getAcl /znode1

The results from getAcl should show that the proper scheme and permissions were applied to the znode.