[repost ]ZooKeeper Security Configuration

orignal:https://ccp.cloudera.com/display/CDH4DOC/ZooKeeper+Security+Configuration

This section describes how to configure ZooKeeper in CDH4 to enable Kerberos security.

Important
Prior to enabling ZooKeeper to work with Kerberos security on your cluster, make sure you first review the requirements in Configuring Hadoop Security in CDH4.

Configuring the ZooKeeper Server to Support Kerberos Security

Note
It is strongly recommended that you ensure a properly functioning ZooKeeper ensemble prior to enabling security. See ZooKeeper Installation.
  1. Create a service principal for the ZooKeeper server using the syntax:zookeeper/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper server with the Hadoop cluster.

    where:
    fully.qualified.domain.name is the host where the ZooKeeper server is running
    YOUR-REALM is the name of your Kerberos realm

    kadmin: addprinc -randkey zookeeper/fully.qualified.domain.name@YOUR-REALM.COM
  2. Create a keytab file for the ZooKeeper server.
    $ kadmin
    kadmin: xst -k zookeeper.keytab zookeeper/fully.qualified.domain.name
  3. Copy the zookeeper.keytab file to the ZooKeeper configuration directory on the ZooKeeper server host. For a package installation, the ZooKeeper configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the ZooKeeper configuration directory is <EXPANDED_DIR>/conf. The owner of thezookeeper.keytab file should be the zookeeper user and the file should have owner-only read permissions.
  4. Add the following lines to the ZooKeeper configuration file zoo.cfg:
    authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    jaasLoginRenew=3600000
  5. Set up the Java Authentication and Authorization Service (JAAS) by creating a jaas.conf file in the ZooKeeper configuration directory containing the following settings. Make sure that you substitutefully.qualified.domain.name as appropriate.
    Server {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/etc/zookeeper/conf/zookeeper.keytab"
      storeKey=true
      useTicketCache=false
      principal="zookeeper/fully.qualified.domain.name@<YOUR-REALM>";
    };
  6. Add the following setting to the java.env file located in the ZooKeeper configuration directory. (Create the file if it does not already exist.)
    export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
  7. If you have multiple ZooKeeper servers in the ensemble, repeat steps 1 through 6 above for each ZooKeeper server. When you create each new Zookeeper Server keytab file in step 2, you can overwrite the previous keytab file and use the same name (zookeeper.keytab) to maintain consistency across the ZooKeeper servers in the ensemble. The difference in the keytab files will be the hostname where each server is running.
  8. Restart the ZooKeeper server to have the configuration changes take effect. For instructions, see ZooKeeper Installation.

Configuring the ZooKeeper Client Shell to Support Kerberos Security

  1. If you want to use the ZooKeeper client shell zookeeper-client with Kerberos authentication, create a principal using the syntax: zkcli@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper client shell to the ZooKeeper service.

    where:
    YOUR-REALM is the name of your Kerberos realm

    kadmin: addprinc -randkey zkcli@YOUR-REALM.COM
  2. Set up JAAS in the configuration directory on the host where the ZooKeeper client shell is running. For a package installation, the configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the configuration directory is <EXPANDED_DIR>/conf. Create a jaas.conf file containing the following settings:
    Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=false
      principal="zkcli"
      useTicketCache=true
      debug=true;
    };
  3. Add the following setting to the java.env file located in the configuration directory. (Create the file if it does not already exist.)
    export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"

Verifying the Configuration

  1. Make sure that you have restarted the ZooKeeper cluster with Kerberos enabled, as described above.
  2. On the command line, obtain a Kerberos ticket:
    kinit zkcli
    kinit -R
  3. Start the client (where the hostname is the name of a ZooKeeper server):
    zookeeper-client -server hostname:port
  4. Create a protected znode from within the ZooKeeper CLI. Make sure that you substitute YOUR-REALM as appropriate.
    create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra
  5. Verify the znode is created and the ACL is set correctly:
    getAcl /znode1

The results from getAcl should show that the proper scheme and permissions were applied to the znode.