@dlysnichenko After playing with ZK service check for a while, I found that the
solution is to add the following to the JAVA command that executes the ZK
client:
```
-Dzookeeper.sasl.client.username=<principal name>
```
I think the easiest approach is to add this to the `CLIENT_JVMFLAGS` env in
`zookeeper-env/content`.
For example:
```
export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS
-Djava.security.auth.login.config={{zk_client_jaas_file}}
-Dzookeeper.sasl.client.username={{zk_principal_name}}"
```
The `<principal name>' value is the first component of the ZK principal. If
the ZK principal is "my_zk/[email protected]", then the value
that needs to be set for principal name is "my_zk". Once you do this, you can
view the KDC log and see entries like (in the case of an MIT KDC) during the
service check.
```
Aug 30 13:23:53 c7401.ambari.apache.org krb5kdc[14444](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.74.101: ISSUE: authtime 1535635426, etypes {rep=18
tkt=23 ses=18}, [email protected] for
my_zk/[email protected]
```
My guess is that this will help any process that sources
/etc/zookeeper/conf/zookeeper-env.sh before executing the ZK client.
[ Full content available at: https://github.com/apache/ambari/pull/2203 ]
This message was relayed via gitbox.apache.org for [email protected]
