Command Line Installation
Also available as:
PDF
loading table of contents...

Securing ZooKeeper with Kerberos (optional)

(Optional) To secure ZooKeeper with Kerberos, perform the following steps on the host that runs KDC (Kerberos Key Distribution Center):

  1. Start the kadmin.local utility:

    /usr/sbin/kadmin.local

  2. Create a principal for ZooKeeper:

    sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'

  3. Create a keytab for ZooKeeper:

    sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"

  4. Copy the keytab to all ZooKeeper nodes in the cluster.

    [Note]Note

    Verify that only the ZooKeeper and Storm operating system users can access the ZooKeeper keytab.

  5. Administrators must add the following properties to the zoo.cfg configuration file located at /etc/zookeeper/conf:

    authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    kerberos.removeHostFromPrincipal = true
    kerberos.removeRealmFromPrincipal = true
[Note]Note

Grant the zookeeper user shell access on Ubuntu and Debian.

usermod -s /bin/bash zookeeper