This is the documentation for Cloudera 5.2.x.
Documentation for other versions is available at Cloudera Documentation.

ZooKeeper Authentication

  Important:

Prior to enabling ZooKeeper to work with Kerberos security on your cluster, make sure you first review the requirements in Configuring Hadoop Security in CDH 5.

Configuring the ZooKeeper Server to Support Kerberos Security

  Note:

It is strongly recommended that you ensure a properly functioning ZooKeeper ensemble prior to enabling security. See ZooKeeper Installation.

  1. Create a service principal for the ZooKeeper server using the syntax: zookeeper/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper server with the Hadoop cluster. where: fully.qualified.domain.name is the host where the ZooKeeper server is running YOUR-REALM is the name of your Kerberos realm.
    kadmin: addprinc -randkey zookeeper/fully.qualified.domain.name@YOUR-REALM.COM
  2. Create a keytab file for the ZooKeeper server.
    $ kadmin
    kadmin: xst -k zookeeper.keytab zookeeper/fully.qualified.domain.name
  3. Copy the zookeeper.keytab file to the ZooKeeper configuration directory on the ZooKeeper server host. For a package installation, the ZooKeeper configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the ZooKeeper configuration directory is <EXPANDED_DIR>/conf. The owner of the zookeeper.keytab file should be the zookeeper user and the file should have owner-only read permissions.
  4. Add the following lines to the ZooKeeper configuration file zoo.cfg:
    authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    jaasLoginRenew=3600000
  5. Set up the Java Authentication and Authorization Service (JAAS) by creating a jaas.conf file in the ZooKeeper configuration directory containing the following settings. Make sure that you substitute fully.qualified.domain.name as appropriate.
    Server {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/etc/zookeeper/conf/zookeeper.keytab"
      storeKey=true
      useTicketCache=false
      principal="zookeeper/fully.qualified.domain.name@<YOUR-REALM>";
    };
  6. Add the following setting to the java.env file located in the ZooKeeper configuration directory. (Create the file if it does not already exist.)
    export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
  7. If you have multiple ZooKeeper servers in the ensemble, repeat steps 1 through 6 above for each ZooKeeper server. When you create each new Zookeeper Server keytab file in step 2, you can overwrite the previous keytab file and use the same name (zookeeper.keytab) to maintain consistency across the ZooKeeper servers in the ensemble. The difference in the keytab files will be the hostname where each server is running.
  8. Restart the ZooKeeper server to have the configuration changes take effect. For instructions, see ZooKeeper Installation.

Configuring the ZooKeeper Client Shell to Support Kerberos Security

  1. If you want to use the ZooKeeper client shell zookeeper-client with Kerberos authentication, create a principal using the syntax: zkcli@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper client shell to the ZooKeeper service. where: YOUR-REALM is the name of your Kerberos realm.
    kadmin: addprinc -randkey zkcli@YOUR-REALM.COM
  2. Create a keytab file for the ZooKeeper client shell.
    $ kadmin
    kadmin: xst -norandkey -k zkcli.keytab zkcli@YOUR-REALM.COM
      Note:

    Some versions of kadmin do not support the -norandkey option in the command above. If your version does not, you can omit it from the command. Note that doing so will result in a new password being generated every time you export a keytab, which will invalidate previously-exported keytabs.

  3. Set up JAAS in the configuration directory on the host where the ZooKeeper client shell is running. For a package installation, the configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the configuration directory is <EXPANDED_DIR>/conf. Create a jaas.conf file containing the following settings:
    Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/path/to/zkcli.keytab"
      storeKey=true
      useTicketCache=false
      principal="zkcli@<YOUR-REALM>";
    };
  4. Add the following setting to the java.env file located in the configuration directory. (Create the file if it does not already exist.)
    export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"

Verifying the Configuration

  1. Make sure that you have restarted the ZooKeeper cluster with Kerberos enabled, as described above.
  2. Start the client (where the hostname is the name of a ZooKeeper server):
    zookeeper-client -server hostname:port
  3. Create a protected znode from within the ZooKeeper CLI. Make sure that you substitute YOUR-REALM as appropriate.
    create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra
  4. Verify the znode is created and the ACL is set correctly:
    getAcl /znode1

    The results from getAcl should show that the proper scheme and permissions were applied to the znode.