Hi, we're currently running hbase with a secure zookeeper without any issue, so i guess it's supported
On Fri, Jun 5, 2015 at 10:14 PM, Jon Maron <[email protected]> wrote: > > > On Jun 5, 2015, at 4:12 PM, Billie Rinaldi <[email protected]> > wrote: > > > > On Fri, Jun 5, 2015 at 12:58 PM, Steve Loughran <[email protected]> > > wrote: > > > >> ooh, now ZK has interesting and complicated security. I spent more time > >> writing the kerberos ZK tests for the yarn registry than most of the > >> registry code itself, from which I came out with > >> -a fear of kerberos > >> > > > > Kerberophobia? > > common and prevalent... > > > > > > >> -a fear of its error messages > >> -not enough understanding of how ZK security works. > >> > >> > >> > >>> On 5 Jun 2015, at 16:16, Lei Guo <[email protected]> wrote: > >>> > >>> We are trying to use Slider to manage HBase in an environment with > >> secured zookeeper (Kerberos). Seems there are some issues around both AM > >> and agent. For example, the kazoo library embedded does not support > >> Kerberos credential. > >> > >> > >> > >>> > >>> Just want to confirm that secured Zookeeper is not supported yet. > >>> > >> > >> it should be. > >> > >> The registry can be set up to be world readable, and writeable only by > the > >> user who is starting the jobs > >> > >> > http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/registry/registry-security.html > >> > >> if your hadoop installation has YARN-2571 applied, this is done > >> automatically for you by the RM. I managed to get this into HDP 2.2, but > >> it's not in ASF Hadoop (one of the few differences) > >> > >> without that, there is a way from the command line to give a user > >> permissions (and only that user). > >> > >> Once the registry is setup, the AM will update its path under > >> /users/${USERNAME} with > >> -the URL used by the agents to find the AM > >> -any bindings the applications publish > >> > >> There's also a bit of ZK code in the slider client which creates a > >> zookeeper path for an HBase cluster, under > >> /services/slider/users/${USERNAME}/${CLUSTERNAME} > >> > >> I think that's the bit most likely to break on a secure ZK cluster, > unless > >> you set up /services/slider/users/${USERNAME} to be writeable by that > user. > >> > >> Does this help? If not, we'll do what we can to get this to work. It > >> should work on a secure ZK cluster > >> > >> > >
