Both Storm and Zookeeper use Java Authentication and Authorization Services (JAAS), an implementation of the Pluggable Authentication Model (PAM), to authenticate users. Administrators must update the jaas.conf configuration file with the keytab and principal information from the last step. The file must appear on all Storm nodes, the Nimbus node, the Storm DRPC node, and all Gateway nodes. However, different cluster nodes require different stanzas, as indicated in the following table:
Table 26.13. Cluster Node Requirements
| Cluster Node | Required Sections in jaas.conf | |
|---|---|---|
Storm | StormClient | |
| Nimbus | StormServer (with additional lines for storm.principal.tolocal and storm.zookeeper.superACL), Client | |
| DRPC | StormServer | |
| Supervisor | StormClient, Client | |
| Gateway | StormClient (different structure than used on Storm and Supervisor nodes) | |
| Zookeeper | Server |
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
JAAS ignores unnecessary sections in jaas.conf. Administrators can put all sections in all copies of the file to simplify the process of updating it. However, the StormClient stanza for the Gateway nodes uses a different structure than the StormClient stanza on other cluster nodes. In addition, the StormServer stanza for the Nimbus node requires additional lines, as does the zoo.cfg configuration file for the Zookeeper nodes. |
The following example jaas.conf file contains all sections and includes information about the keytabs and principals generated in the previous step.
StormServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/storm.keytab"
storeKey=true
useTicketCache=false
principal="storm/storm.example.com@STORM.EXAMPLE.COM";
};
StormClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/storm.keytab"
storeKey=true
useTicketCache=false
serviceName="storm"
principal="storm@STORM.EXAMPLE.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/storm.keytab"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="storm@STORM.EXAMPLE.COM";
};The StormServer section for the Nimbus node, however, must have the following additional lines:
StormServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/storm.keytab"
storeKey=true
useTicketCache=false
principal="storm/storm.example.com@STORM.EXAMPLE.COM";
};
The StormClient stanza for the Gateway nodes must have the following structure.
StormClient {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
useTicketCache=true
serviceName="$nimbus_user";
};The Server stanza for the Zookeeper nodes must have the following structure:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/zk.keytab"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="zookeeper/zk1.example.com@STORM.EXAMPLE.COM";
};In addition, add the following childopts lines to the stanzas for the nimbus, ui, and supervisor:
nimbus.childopts: "-Xmx1024m -Djava.security.auth.login.config=/path/to/jaas.conf" ui.childopts: "-Xmx768m -Djava.security.auth.login.config=/path/to/jaas.conf" supervisor.childopts: "-Xmx256m -Djava.security.auth.login.config=/path/to/jaas.conf"
| Note |
|---|---|
When starting Zookeeper, include the following command-line option so that Zookeeper can find jaas.conf.
|
