Secured Zookeeper

[Lei Guo <le...@huawei.com>]

We are trying to use Slider to manage HBase in an environment with secured zookeeper (Kerberos). Seems there are some issues around both AM and agent. For example, the kazoo library embedded does not support Kerberos credential.

Just want to confirm that secured Zookeeper is not supported yet.

Have a nice day,
Lei

Re: Secured Zookeeper

[Yohan Bismuth <yo...@gmail.com>]

Hi,
we're currently running hbase with a secure zookeeper without any issue, so
i guess it's supported

On Fri, Jun 5, 2015 at 10:14 PM, Jon Maron <jm...@hortonworks.com> wrote:

>
> > On Jun 5, 2015, at 4:12 PM, Billie Rinaldi <bi...@gmail.com>
> wrote:
> >
> > On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <st...@hortonworks.com>
> > wrote:
> >
> >> ooh, now ZK has interesting and complicated security. I spent more time
> >> writing the kerberos ZK tests for the yarn registry than most of the
> >> registry code itself, from which I came out with
> >> -a fear of kerberos
> >>
> >
> > Kerberophobia?
>
> common and prevalent...
>
> >
> >
> >> -a fear of its error messages
> >> -not enough understanding of how ZK security works.
> >>
> >>
> >>
> >>> On 5 Jun 2015, at 16:16, Lei Guo <le...@huawei.com> wrote:
> >>>
> >>> We are trying to use Slider to manage HBase in an environment with
> >> secured zookeeper (Kerberos). Seems there are some issues around both AM
> >> and agent. For example, the kazoo library embedded does not support
> >> Kerberos credential.
> >>
> >>
> >>
> >>>
> >>> Just want to confirm that secured Zookeeper is not supported yet.
> >>>
> >>
> >> it should be.
> >>
> >> The registry can be set up to be world readable, and writeable only by
> the
> >> user who is starting the jobs
> >>
> >>
> http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html
> >>
> >> if your hadoop  installation has YARN-2571 applied, this is done
> >> automatically for you by the RM. I managed to get this into HDP 2.2, but
> >> it's not in ASF Hadoop (one of the few differences)
> >>
> >> without that, there is a way from the command line to give a user
> >> permissions (and only that user).
> >>
> >> Once the registry is setup, the AM will update its path under
> >> /users/${USERNAME} with
> >> -the URL used by the agents to find the AM
> >> -any bindings the applications publish
> >>
> >> There's also a bit of ZK code in the slider client which creates a
> >> zookeeper path for an HBase cluster, under
> >> /services/slider/users/${USERNAME}/${CLUSTERNAME}
> >>
> >> I think that's the bit most likely to break on a secure ZK cluster,
> unless
> >> you set up /services/slider/users/${USERNAME} to be writeable by that
> user.
> >>
> >> Does this help? If not, we'll do what we can to get this to work. It
> >> should work on a secure ZK cluster
> >>
> >>
>
>

Re: Secured Zookeeper

[Jon Maron <jm...@hortonworks.com>]

> On Jun 5, 2015, at 4:12 PM, Billie Rinaldi <bi...@gmail.com> wrote:
> 
> On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <st...@hortonworks.com>
> wrote:
> 
>> ooh, now ZK has interesting and complicated security. I spent more time
>> writing the kerberos ZK tests for the yarn registry than most of the
>> registry code itself, from which I came out with
>> -a fear of kerberos
>> 
> 
> Kerberophobia?

common and prevalent...

> 
> 
>> -a fear of its error messages
>> -not enough understanding of how ZK security works.
>> 
>> 
>> 
>>> On 5 Jun 2015, at 16:16, Lei Guo <le...@huawei.com> wrote:
>>> 
>>> We are trying to use Slider to manage HBase in an environment with
>> secured zookeeper (Kerberos). Seems there are some issues around both AM
>> and agent. For example, the kazoo library embedded does not support
>> Kerberos credential.
>> 
>> 
>> 
>>> 
>>> Just want to confirm that secured Zookeeper is not supported yet.
>>> 
>> 
>> it should be.
>> 
>> The registry can be set up to be world readable, and writeable only by the
>> user who is starting the jobs
>> 
>> http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html
>> 
>> if your hadoop  installation has YARN-2571 applied, this is done
>> automatically for you by the RM. I managed to get this into HDP 2.2, but
>> it's not in ASF Hadoop (one of the few differences)
>> 
>> without that, there is a way from the command line to give a user
>> permissions (and only that user).
>> 
>> Once the registry is setup, the AM will update its path under
>> /users/${USERNAME} with
>> -the URL used by the agents to find the AM
>> -any bindings the applications publish
>> 
>> There's also a bit of ZK code in the slider client which creates a
>> zookeeper path for an HBase cluster, under
>> /services/slider/users/${USERNAME}/${CLUSTERNAME}
>> 
>> I think that's the bit most likely to break on a secure ZK cluster, unless
>> you set up /services/slider/users/${USERNAME} to be writeable by that user.
>> 
>> Does this help? If not, we'll do what we can to get this to work. It
>> should work on a secure ZK cluster
>> 
>> 

Re: Secured Zookeeper

[Steve Loughran <st...@hortonworks.com>]

> On 5 Jun 2015, at 21:12, Billie Rinaldi <bi...@gmail.com> wrote:
> 
> On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <st...@hortonworks.com>
> wrote:
> 
>> ooh, now ZK has interesting and complicated security. I spent more time
>> writing the kerberos ZK tests for the yarn registry than most of the
>> registry code itself, from which I came out with
>> -a fear of kerberos
>> 
> 
> Kerberophobia?


"phobia" implies some unnatural fear. I prefer "experience"

Re: Secured Zookeeper

[Billie Rinaldi <bi...@gmail.com>]

On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <st...@hortonworks.com>
wrote:

> ooh, now ZK has interesting and complicated security. I spent more time
> writing the kerberos ZK tests for the yarn registry than most of the
> registry code itself, from which I came out with
> -a fear of kerberos
>

Kerberophobia?


> -a fear of its error messages
> -not enough understanding of how ZK security works.
>
>
>
> > On 5 Jun 2015, at 16:16, Lei Guo <le...@huawei.com> wrote:
> >
> > We are trying to use Slider to manage HBase in an environment with
> secured zookeeper (Kerberos). Seems there are some issues around both AM
> and agent. For example, the kazoo library embedded does not support
> Kerberos credential.
>
>
>
> >
> > Just want to confirm that secured Zookeeper is not supported yet.
> >
>
> it should be.
>
> The registry can be set up to be world readable, and writeable only by the
> user who is starting the jobs
>
> http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html
>
> if your hadoop  installation has YARN-2571 applied, this is done
> automatically for you by the RM. I managed to get this into HDP 2.2, but
> it's not in ASF Hadoop (one of the few differences)
>
> without that, there is a way from the command line to give a user
> permissions (and only that user).
>
> Once the registry is setup, the AM will update its path under
> /users/${USERNAME} with
>  -the URL used by the agents to find the AM
>  -any bindings the applications publish
>
> There's also a bit of ZK code in the slider client which creates a
> zookeeper path for an HBase cluster, under
>  /services/slider/users/${USERNAME}/${CLUSTERNAME}
>
> I think that's the bit most likely to break on a secure ZK cluster, unless
> you set up /services/slider/users/${USERNAME} to be writeable by that user.
>
> Does this help? If not, we'll do what we can to get this to work. It
> should work on a secure ZK cluster
>
>

Re: Secured Zookeeper

[Steve Loughran <st...@hortonworks.com>]

ooh, now ZK has interesting and complicated security. I spent more time writing the kerberos ZK tests for the yarn registry than most of the registry code itself, from which I came out with
-a fear of kerberos
-a fear of its error messages
-not enough understanding of how ZK security works.



> On 5 Jun 2015, at 16:16, Lei Guo <le...@huawei.com> wrote:
> 
> We are trying to use Slider to manage HBase in an environment with secured zookeeper (Kerberos). Seems there are some issues around both AM and agent. For example, the kazoo library embedded does not support Kerberos credential.



> 
> Just want to confirm that secured Zookeeper is not supported yet.
> 

it should be. 

The registry can be set up to be world readable, and writeable only by the user who is starting the jobs
http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html

if your hadoop  installation has YARN-2571 applied, this is done automatically for you by the RM. I managed to get this into HDP 2.2, but it's not in ASF Hadoop (one of the few differences)

without that, there is a way from the command line to give a user permissions (and only that user). 

Once the registry is setup, the AM will update its path under /users/${USERNAME} with 
 -the URL used by the agents to find the AM
 -any bindings the applications publish

There's also a bit of ZK code in the slider client which creates a zookeeper path for an HBase cluster, under
 /services/slider/users/${USERNAME}/${CLUSTERNAME}

I think that's the bit most likely to break on a secure ZK cluster, unless you set up /services/slider/users/${USERNAME} to be writeable by that user.

Does this help? If not, we'll do what we can to get this to work. It should work on a secure ZK cluster