Thursday, June 12, 2014

Zookeeper Secure Configuration

It explains how to manually configure Kerberos for Zookeeper.
Before implementing this step, please complete steps in  Installing the MIT Kerberos 5 KDC and Configuring Kerberos for HDFS and YARN.
This article refers to Pivotal HD Enterprise 2.0.1 <Stack and Tools Reference>, but the steps should be similar among Apache Hadoop enterprise editions.

Zookeeper secure configuration for server is recommended for HBase.
Important: STOP cluster services before doing this configuration.

1. Identify current zookeeper services

[root@admin]# massh ~/hostfile_all verbose "/etc/init.d/zookeeper-server status"
hdw2 : bash: /etc/init.d/zookeeper-server: No such file or directory
hdm : zookeeper-server (pid  331833) is running...
hdw1 : zookeeper-server (pid  525146) is running...
hdw3 : zookeeper-server (pid  518309) is running...

2. Stop cluster

icm_client stop -l <Cluster Name>

3. Create the Zookeeper Principals

Create a principal for each Zookeeper Quorum Server host:
kadmin: addprinc -randkey zookeeper/host_fqdn@REALM
eg:
kadmin: addprinc -randkey zookeeper/hdm.xxx.com@OPENKBINFO.COM
kadmin: addprinc -randkey zookeeper/hdw1.xxx.com@OPENKBINFO.COM
kadmin: addprinc -randkey zookeeper/hdw3.xxx.com@OPENKBINFO.COM

4. Create the Zookeeper Keytab Files

For each Zookeeper server host:
ktadd -norandkey -k /etc/security/phd/keytab/zookeeper-hostid.service.keytab zookeeper/host_fqdn@REALM
eg:
ktadd -norandkey -k /etc/security/phd/keytab/zookeeper-hdm.service.keytab zookeeper/hdm.xxx.com@OPENKBINFO.COM
ktadd -norandkey -k /etc/security/phd/keytab/zookeeper-hdw1.service.keytab zookeeper/hdw1.xxx.com@OPENKBINFO.COM
ktadd -norandkey -k /etc/security/phd/keytab/zookeeper-hdw3.service.keytab zookeeper/hdw3.xxx.com@OPENKBINFO.COM

5. Distribute the Zookeeper Keytab Files

For each Zookeeper server host:
Move the appropriate keytab file for each host to that hosts /etc/security/phd/keytab directory, then run the following:
chgrp hadoop zookeeper-hostid.service.keytab
chown zookeeper zookeeper-hostid.service.keytab
chmod 400 zookeeper-hostid.service.keytab
ln -s zookeeper-hostid.service.keytab zookeeper.service.keytab
eg:
cd /etc/security/phd/keytab
scp zookeeper-hdw1*.keytab hdw1:/etc/security/phd/keytab/
scp zookeeper-hdw3*.keytab hdw3:/etc/security/phd/keytab/
scp zookeeper-hdm*.keytab hdm:/etc/security/phd/keytab/
massh ~/hostfile_all verbose "chgrp hadoop /etc/security/phd/keytab/zookeeper*.keytab"
massh ~/hostfile_all verbose "chown zookeeper /etc/security/phd/keytab/zookeeper*.keytab"
massh ~/hostfile_all verbose "chmod 400 /etc/security/phd/keytab/zookeeper*.keytab"
massh ~/hostfile_all verbose "cd /etc/security/phd/keytab/; if ls zookeeper*.service.keytab &> /dev/null; then ln -s zookeeper*.service.keytab zookeeper.service.keytab ; fi"
massh ~/hostfile_all verbose "ls -altr /etc/security/phd/keytab/zookeeper*.keytab"

6. Edit the Zookeeper Configuration


6.1 Add the following lines to /etc/gphd/zookeeper/conf/zoo.cfg

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
Copy to other zookeeper servers:
scp /etc/gphd/zookeeper/conf/zoo.cfg hdw1:/etc/gphd/zookeeper/conf/zoo.cfg
scp /etc/gphd/zookeeper/conf/zoo.cfg hdw3:/etc/gphd/zookeeper/conf/zoo.cfg

6.2 Create a file in /etc/gphd/zookeeper/conf/jaas.conf and add to it

Server {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 keyTab="/etc/security/phd/keytab/zookeeper.service.keytab"
 storeKey=true
 useTicketCache=false
 principal="zookeeper/host_fqdn@REALM";
};
Make sure that you substitute host_fqdn as appropriate.

6.3 Add the following line to /etc/gphd/zookeeper/conf/java.env 


(create the file if it does not exist).
export JVMFLAGS="-Djava.security.auth.login.config=/etc/gphd/zookeeper/conf/jaas.conf"
If JVMFLAGS already exist, then modify that and add new value within quotes separated by space. For
example, modify "export JVMFLAGS="-Xmx2048m" to:
export JVMFLAGS="-Xmx2048m -Djava.security.auth.login.config=/etc/gphd/zookeeper/conf/jaas.conf"
Copy to other zookeeper servers:
scp /etc/gphd/zookeeper/conf/java.env hdw1:/etc/gphd/zookeeper/conf/java.env
scp /etc/gphd/zookeeper/conf/java.env hdw3:/etc/gphd/zookeeper/conf/java.env

7 Verify the Zookeeper Configuration


7.1 Start Cluster

icm_client start -l <Cluster Name>

7.2 Connect as a client

zookeeper-client -server hostname:port
Note: The port is defined in /etc/gphd/zookeeper/conf/zoo.cfg and is typically 2181
eg:
zookeeper-client -server hdw1:2181

7.3 Create a protected znode

[zk: hdw1:2181(CONNECTED) 6] create /testznode testznodedata sasl:zkcli@OPENKBINFO.COM:cdwra
Created /testznode

7.4 Verify the znode

[zk: hdw1:2181(CONNECTED) 11] getAcl /testznode
'sasl,'zkcli@OPENKBINFO.COM
: cdrwa

No comments:

Post a Comment

Popular Posts