Overview

Zookeeper에 Kerberos 보안을 적용하는 방법을 알아본다.

Confiuration 변경
Zookeeper 재시작

Confiuration 변경

# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/var/zookeeper
# the port at which the clients will connect
clientPort=2181
server.1=hadoop1.mysite.com:2888:3888
server.2=hadoop2.mysite.com:2888:3888
server.3=hadoop3.mysite.com:2888:3888

quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST

#autopurge.purgeInterval=1

Server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/hdfs.keytab"
  storeKey=true
  useTicketCache=false
  principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};

 QuorumServer {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
   keyTab="/etc/hdfs.keytab"
  storeKey=true
  useTicketCache=false
  principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};

 QuorumLearner {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/hdfs.keytab"
  storeKey=true
  useTicketCache=false
  principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};

export JVMFLAGS="-Djava.security.auth.login.config=${JAAS_CONF_PATH}"

Zookeeper 재시작

위 처럼 설정을 변경한 뒤, zookeeper를 재시작하게되면 zookeeper가 secure하게 구동된다.