Hi Irfan, Your description sounds right to me. I'd add that you can check that your client watcher is getting a SaslConnected event.
There is some more information here in the case you haven't seen this page: https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL <https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL> -Flavio > On 29 Jan 2016, at 14:51, Irfan Hamid <[email protected]> wrote: > > Hi, > > We're trying to set up ZooKeeper with Kerberos authentication in our setup. > The documentation about setting this up is a bit complicated. The steps for > the ZooKeeper quorum servers are quite clear: > > *ZooKeeper quorum servers* > 1. Create zookeeper service principals as described here > <http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html>. > I am creating them as zookeeper/[email protected] > 2. Copy the keytab files created in (1) to the respective ZooKeeper quorum > servers and place it in the ZooKeeper conf directory > 3. Add the configs indicated to the zoo.cfg file > 4. Add a jaas.conf file (and point to it as part of the jvm params) as > indicated > > *ZooKeeper client side* > This part is throwing me for a loop. We are using the basic ZooKeeper API > (not Curator) in our client side code and creating connections using the > vanilla new ZooKeeper(cxnString, ...) constructor. The only documentation > on how to set this up I could find is here > <http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html>. > I was wondering if the linked steps would work for my use-case or if these > are for a specific Cloudera ZooKeeper client tool? > > 1. Create zookeeper client principals using [email protected] (the client's > FQDN isn't needed here?) > 2. Copy the keytab file to the machine running our client app > 3. Make the necessary modifications to jaas.conf > 4. Run our client app with the JVM param pointing to the jaas.conf file > from (2) > > Is my understanding correct or are these steps only for the Cloudera client > shell? > > Regards, > Irfan.
