ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuanbo Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-11582) [Ambari] Configuration changes enable ZK security with RM
Date Tue, 28 Mar 2017 01:57:41 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-11582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15944395#comment-15944395
] 

Yuanbo Liu commented on AMBARI-11582:
-------------------------------------

[~rlevas] Thanks for your response.
Since 2.4 is still being maintained and this is a secure leak, it would be better that the
patch is backported into 2.4 branch.
We also have to take care of the connection between HDFS and zookeeper. 

> [Ambari] Configuration changes enable ZK security with RM
> ---------------------------------------------------------
>
>                 Key: AMBARI-11582
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11582
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>             Fix For: 2.3.0
>
>
> When Kerberos is enabled, the following changes need to be made for HDP 2.2 and HDP 2.3
> *ZooKeeper*
> * Create a keytab for zookeeper called zookeeper.service.keytab, and save it in /etc/security/keytabs.
> * Add following contents in zoo.cfg
> {code}
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
> {code}
> * Create zookeeper_client_jaas.conf
> {code}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=false
> useTicketCache=true;
> };
> {code}
> * Create zookeeper_jaas.conf
> {code}
> Server {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> useTicketCache=false
> keyTab="$PATH_TO_ZOOKEEPER_KEYTAB" 
> (such as"/etc/security/keytabs/zookeeper.service.keytab")
> principal="zookeeper/$HOST";
> (such as "zookeeper/xuan-sec-yarn-ha-2.novalocal@SCL42.HORTONWORKS.COM";)
> };
> {code}
> * Add following contents in zookeeper-env.sh
> {code}
> export CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
> export SERVER_JVMFLAGS="-Xmx1024m -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_jaas.conf"
> {code}
> *Yarn*
> * Create yarn_jaas.conf 
> {code}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> useTicketCache=false
> keyTab="$PATH_TO_RM_KEYTAB" 
> (such as "/etc/security/keytabs/rm.service.keytab")
> principal="rm/$HOST";
> (such as "rm/xuan-sec-yarn-ha-1.novalocal@EXAMPLE.COM";)
> };
> {code}
> * Add a new property in yarn-site.xml (assuming principal is rm/_HOST@REALM) 
> {code}
> <property>
>     <name>yarn.resourcemanager.zk-acl</name>
>     <value>sasl:rm:rwcda</value>
>   </property>
> {code}
> * Add a new YARN_OPTS into yarn-env.sh, and make sure this YARN_OPTS will be picked up
when we start RMs
> {code}
> YARN_OPTS="$YARN_OPTS -Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper
-Djava.security.auth.login.config=/etc/hadoop/conf/yarn_jaas.conf -Dzookeeper.sasl.clientconfig=Client"
> {code}
> *HDFS*
> * In hdfs-site.xml, set the following property, for security of ZooKeeper based fail-over
controller:
> {code}
> <property>
>     <name>ha.zookeeper.acl</name>
>     <value>sasl:nn:rwcda</value>
> </property>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message