> On Jun 5, 2015, at 4:12 PM, Billie Rinaldi <[email protected]> wrote: > > On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <[email protected]> > wrote: > >> ooh, now ZK has interesting and complicated security. I spent more time >> writing the kerberos ZK tests for the yarn registry than most of the >> registry code itself, from which I came out with >> -a fear of kerberos >> > > Kerberophobia?
common and prevalent... > > >> -a fear of its error messages >> -not enough understanding of how ZK security works. >> >> >> >>> On 5 Jun 2015, at 16:16, Lei Guo <[email protected]> wrote: >>> >>> We are trying to use Slider to manage HBase in an environment with >> secured zookeeper (Kerberos). Seems there are some issues around both AM >> and agent. For example, the kazoo library embedded does not support >> Kerberos credential. >> >> >> >>> >>> Just want to confirm that secured Zookeeper is not supported yet. >>> >> >> it should be. >> >> The registry can be set up to be world readable, and writeable only by the >> user who is starting the jobs >> >> http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html >> >> if your hadoop installation has YARN-2571 applied, this is done >> automatically for you by the RM. I managed to get this into HDP 2.2, but >> it's not in ASF Hadoop (one of the few differences) >> >> without that, there is a way from the command line to give a user >> permissions (and only that user). >> >> Once the registry is setup, the AM will update its path under >> /users/${USERNAME} with >> -the URL used by the agents to find the AM >> -any bindings the applications publish >> >> There's also a bit of ZK code in the slider client which creates a >> zookeeper path for an HBase cluster, under >> /services/slider/users/${USERNAME}/${CLUSTERNAME} >> >> I think that's the bit most likely to break on a secure ZK cluster, unless >> you set up /services/slider/users/${USERNAME} to be writeable by that user. >> >> Does this help? If not, we'll do what we can to get this to work. It >> should work on a secure ZK cluster >> >>
