The current handling of zookeeper.security.auth_to_local in KerberosName.java only supports rules given directly as the property value.
These rules must therefore be given on the command line and: - must be escaped properly to avoid shell expansion - are visible in the ps output It would be much better to put these rules in a file and pass the file path as the property value. We would then use something like: | -Dzookeeper.security.auth_to_local=file:/etc/zookeeper/rules Note that using the file: prefix allows keeping backward compatibility. I've created https://issues.apache.org/jira/browse/ZOOKEEPER-2843 and attached a patch to add this functionality. Would it be possible to get this in 3.4.11? Cheers, Lionel
