[jira] [Created] (AMBARI-11582) [Ambari] Configuration changes enable ZK security with RM

[Robert Levas (JIRA)]

Robert Levas created AMBARI-11582:
-------------------------------------

             Summary: [Ambari] Configuration changes enable ZK security with RM
                 Key: AMBARI-11582
                 URL: https://issues.apache.org/jira/browse/AMBARI-11582
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.1.0
            Reporter: Robert Levas
            Assignee: Robert Levas
            Priority: Critical
             Fix For: 2.1.0


When Kerberos is enabled, the following changes need to be made for HDP 2.2 and 
HDP 2.3

*ZooKeeper*

* Create a keytab for zookeeper called zookeeper.service.keytab, and save it in 
/etc/security/keytabs.
* Add following contents in zoo.cfg
{code}
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
{code}
* Create zookeeper_client_jaas.conf
{code}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true;
};
{code}
* Create zookeeper_jaas.conf
{code}
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="$PATH_TO_ZOOKEEPER_KEYTAB" 
(such as"/etc/security/keytabs/zookeeper.service.keytab")
principal="zookeeper/$HOST";
(such as "zookeeper/xuan-sec-yarn-ha-2.novalo...@scl42.hortonworks.com";)
};
{code}
* Add following contents in zookeeper-env.sh
{code}
export 
CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
export SERVER_JVMFLAGS="-Xmx1024m 
-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_jaas.conf"
{code}

*Yarn*
* Create yarn_jaas.conf 
{code}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="$PATH_TO_RM_KEYTAB" 
(such as "/etc/security/keytabs/rm.service.keytab")
principal="rm/$HOST";
(such as "rm/xuan-sec-yarn-ha-1.novalo...@example.com";)
};
{code}

* Add a new property in yarn-site.xml (assuming principal is rm/_HOST@REALM) 
{code}
<property>
    <name>yarn.resourcemanager.zk-acl</name>
    <value>sasl:rm:rwcda</value>
  </property>
{code}
* Add a new YARN_OPTS into yarn-env.sh, and make sure this YARN_OPTS will be 
picked up when we start RMs
{code}
YARN_OPTS="$YARN_OPTS -Dzookeeper.sasl.client=true 
-Dzookeeper.sasl.client.username=zookeeper 
-Djava.security.auth.login.config=/etc/hadoop/conf/yarn_jaas.conf 
-Dzookeeper.sasl.clientconfig=Client"
{code}

*HDFS*

* In hdfs-site.xml, set the following property, for security of ZooKeeper based 
fail-over controller:
{code}
<property>
    <name>ha.zookeeper.acl</name>
    <value>sasl:nn:rwcda</value>
</property>
{code}






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)