@dlysnichenko After playing with ZK service check for a while, I found that the solution is to add the following to the JAVA command that executes the ZK client:
``` -Dzookeeper.sasl.client.username=<principal name> ``` I think the easiest approach is to add this to the `CLIENT_JVMFLAGS` env in `zookeeper-env/content`. The `<principal name>' value is the first component of the ZK principal. If the ZK principal is "my_zk/[email protected]", then the value that needs to be set for principal name is "my_zk". Once you do this, you can view the KDC log and see entries like (in the case of an MIT KDC) during the service check. ``` Aug 30 13:23:53 c7401.ambari.apache.org krb5kdc[14444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.74.101: ISSUE: authtime 1535635426, etypes {rep=18 tkt=23 ses=18}, [email protected] for my_zk/[email protected] ``` My guess is that this will help any process that sources /etc/zookeeper/conf/zookeeper-env.sh before executing the ZK client. [ Full content available at: https://github.com/apache/ambari/pull/2203 ] This message was relayed via gitbox.apache.org for [email protected]
