ooh, now ZK has interesting and complicated security. I spent more time writing the kerberos ZK tests for the yarn registry than most of the registry code itself, from which I came out with -a fear of kerberos -a fear of its error messages -not enough understanding of how ZK security works.
> On 5 Jun 2015, at 16:16, Lei Guo <[email protected]> wrote: > > We are trying to use Slider to manage HBase in an environment with secured > zookeeper (Kerberos). Seems there are some issues around both AM and agent. > For example, the kazoo library embedded does not support Kerberos credential. > > Just want to confirm that secured Zookeeper is not supported yet. > it should be. The registry can be set up to be world readable, and writeable only by the user who is starting the jobs http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html if your hadoop installation has YARN-2571 applied, this is done automatically for you by the RM. I managed to get this into HDP 2.2, but it's not in ASF Hadoop (one of the few differences) without that, there is a way from the command line to give a user permissions (and only that user). Once the registry is setup, the AM will update its path under /users/${USERNAME} with -the URL used by the agents to find the AM -any bindings the applications publish There's also a bit of ZK code in the slider client which creates a zookeeper path for an HBase cluster, under /services/slider/users/${USERNAME}/${CLUSTERNAME} I think that's the bit most likely to break on a secure ZK cluster, unless you set up /services/slider/users/${USERNAME} to be writeable by that user. Does this help? If not, we'll do what we can to get this to work. It should work on a secure ZK cluster
