You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Yuanbo Liu (JIRA)" <ji...@apache.org> on 2017/03/27 03:23:41 UTC
[jira] [Commented] (AMBARI-11582) [Ambari] Configuration changes
enable ZK security with RM
[ https://issues.apache.org/jira/browse/AMBARI-11582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15942579#comment-15942579 ]
Yuanbo Liu commented on AMBARI-11582:
-------------------------------------
[~rlevas] Sorry to interrupt, any plan to fix this defect?
> [Ambari] Configuration changes enable ZK security with RM
> ---------------------------------------------------------
>
> Key: AMBARI-11582
> URL: https://issues.apache.org/jira/browse/AMBARI-11582
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Fix For: 2.3.0
>
>
> When Kerberos is enabled, the following changes need to be made for HDP 2.2 and HDP 2.3
> *ZooKeeper*
> * Create a keytab for zookeeper called zookeeper.service.keytab, and save it in /etc/security/keytabs.
> * Add following contents in zoo.cfg
> {code}
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
> {code}
> * Create zookeeper_client_jaas.conf
> {code}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=false
> useTicketCache=true;
> };
> {code}
> * Create zookeeper_jaas.conf
> {code}
> Server {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> useTicketCache=false
> keyTab="$PATH_TO_ZOOKEEPER_KEYTAB"
> (such as"/etc/security/keytabs/zookeeper.service.keytab")
> principal="zookeeper/$HOST";
> (such as "zookeeper/xuan-sec-yarn-ha-2.novalocal@SCL42.HORTONWORKS.COM";)
> };
> {code}
> * Add following contents in zookeeper-env.sh
> {code}
> export CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
> export SERVER_JVMFLAGS="-Xmx1024m -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_jaas.conf"
> {code}
> *Yarn*
> * Create yarn_jaas.conf
> {code}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> useTicketCache=false
> keyTab="$PATH_TO_RM_KEYTAB"
> (such as "/etc/security/keytabs/rm.service.keytab")
> principal="rm/$HOST";
> (such as "rm/xuan-sec-yarn-ha-1.novalocal@EXAMPLE.COM";)
> };
> {code}
> * Add a new property in yarn-site.xml (assuming principal is rm/_HOST@REALM)
> {code}
> <property>
> <name>yarn.resourcemanager.zk-acl</name>
> <value>sasl:rm:rwcda</value>
> </property>
> {code}
> * Add a new YARN_OPTS into yarn-env.sh, and make sure this YARN_OPTS will be picked up when we start RMs
> {code}
> YARN_OPTS="$YARN_OPTS -Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/etc/hadoop/conf/yarn_jaas.conf -Dzookeeper.sasl.clientconfig=Client"
> {code}
> *HDFS*
> * In hdfs-site.xml, set the following property, for security of ZooKeeper based fail-over controller:
> {code}
> <property>
> <name>ha.zookeeper.acl</name>
> <value>sasl:nn:rwcda</value>
> </property>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)