Bibek

Bibek

Zookeeper Security

1 minute read

The metadata stored in ZooKeeper is such that only brokers will be able to modify the corresponding znodes, but znodes are world readable.

The rationale behind this decision is that the data stored in ZooKeeper is not sensitive, but inappropriate manipulation of znodes can cause cluster disruption. We also recommend limiting the access to ZooKeeper via network segmentation (only brokers and some admin tools need access to ZooKeeper if the new consumer and new producer are used).

Create keytabs for Zookeeper

Refer SASL_Kerberos for more details.

sudo kadmin.local

kadmin: addprinc -randkey zookeeper/nn1.ekbana.com@EKBANA.COM
kadmin: addprinc -randkey zookeeper/nn2.ekbana.com@EKBANA.COM
kadmin: addprinc -randkey zookeeper/dn1.ekbana.com@EKBANA.COM

kadmin: xst -norandkey -k /etc/security/keytabs/zookeeper.keytab zookeeper/nn1.ekbana.com zookeeper/nn2.ekbana.com zookeeper/dn1.ekbana.com

Create a jaas file for Authentication

Zookeeper Server for node: nn1 (zkServer.conf)
Server {
	com.sun.security.auth.module.Krb5LoginModule required
	useKeyTab=true
	useTicketCache=false
	storeKey=true
	keyTab="/etc/security/keytabs/zookeeper.keytab"
	principal="zookeeper/nn1.ekbana.com@EKBANA.COM";
};
Zookeeper Server for node: dn1 (zkServer.conf)
// Zookeeper server authentication
Server {
	com.sun.security.auth.module.Krb5LoginModule required
	useKeyTab=true
	useTicketCache=false
	storeKey=true
	keyTab="/etc/security/keytabs/zookeeper.keytab"
	principal="zookeeper/dn1.ekbana.com@EKBANA.COM";
};
Zookeeper client for node: nn1 (client.conf)

It will be used to connect kafka brokers

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/security/keytabs/kafka.keytab"
    principal="kafka/nn1.ekbana.com@EKBANA.COM";
};
Zookeeper client for node: dn1 (client.conf)

It will be used to connect kafka brokers

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/security/keytabs/kafka.keytab"
    principal="kafka/dn1.ekbana.com@EKBANA.COM";
};

Configure (zoo.cfg)

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true

Configure (java.env)

SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/security/conf/zkServer.conf"
CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/etc/security/conf/client.conf"

Start Zookeeper

/usr/share/zookeeper/bin/zkServer.sh start

You May Also Enjoy

Introduction to Autoencoder

7 minute read

Autoencoder Difference between generative and discriminative modelling Generative modelling Generative modelling is a statistical modeling technique that ...

Semantic Segmentation using U-Net

3 minute read

U-Net U-Net is a U-shaped encoder-decoder network architecture, which consists of four encoder blocks and four decoder blocks that are connected via bridge...

Ramer–Douglas–Peucker algorithm

2 minute read

The Problem When we were working on a satellite image of one of the local area of Nepal, we had to simplify the obtained mask to feed into the GIS system. I...

Replication & Consistency in Cassandra

9 minute read

Before we start with the consistency, replication and read-write operation in Cassandra, let’s first familiarize ourselves with what Cassandra is and its arc...