- Published on
Secured(Kerberized) Zookeeper 구축하기.
- Authors
- Name
Overview
Zookeeper에 Kerberos 보안을 적용하는 방법을 알아본다.
Confiuration 변경
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/var/zookeeper
# the port at which the clients will connect
clientPort=2181
server.1=hadoop1.mysite.com:2888:3888
server.2=hadoop2.mysite.com:2888:3888
server.3=hadoop3.mysite.com:2888:3888
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
#autopurge.purgeInterval=1
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
QuorumLearner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
export JVMFLAGS="-Djava.security.auth.login.config=${JAAS_CONF_PATH}"
Zookeeper 재시작
위 처럼 설정을 변경한 뒤, zookeeper를 재시작하게되면 zookeeper가 secure하게 구동된다.