JIRA: KNOX-2315
Release: Apache Knox 1.4.0
Introduction
This blog post will demonstrate how to use Kerberos authentication between Apache Knox and Apache Zookeeper to configure Zookeeper as a remote registry client.
For details on how to configure Zookeeper as a remote registry client see Apache Knox guide. For details on how to configure Zookeeper client with username and password see the blog post Secure ZooKeeper Client in Apache Knox.
This blog post will document setting up Zookeeper remote registry client using Kerberos authentication with Cloudera Manager.
What Changed
Up until now the Kerberos support was broken. KNOX-2315 is an attempt to fix this. This JIRA also introduces some changes to ACLs created by Knox when Kerberos auth is used for Zookeeper clients.
Now the schema used is `sasl` (as opposed to `auth`) and permissions are restricted to only Knox user (as opposed to all authenticated users before this).
Configuration
You will need to add the following three properties to Knox gateway-site.xml file either manually or using CM.
- gateway.remote.config.registry.zookeeper-client
- gateway.remote.config.monitor.client
- gateway.remote.alias.service.config.type
You will also need to enable Kerberos using the following property set to true
- gateway.hadoop.kerberos.secured
NOTE: Make sure krb5.conf and krb5JAASLogin.conf properties are set properly in gateway-site.xml. Else they default to system property by the same name.
- java.security.krb5.conf
- java.security.auth.login.config
This is an example
<property> <name>gateway.remote.config.registry.zookeeper-client</name> <value>type=ZooKeeper;address=zk-host:2181;authType=Kerberos;principal=knox/zk-host@zk-host;keytab=/run/cloudera-scm-agent/process/1546334182-knox-KNOX_GATEWAY/knox.keytab;useKeyTab=true;useTicketCache=false</value> <description>ZooKeeper configuration registry client details.</description> </property> <property> <name>gateway.remote.config.monitor.client</name> <value>zookeeper-client</value> <description>Remote configuration monitor client name.</description> </property> <property> <name>gateway.remote.alias.service.config.type</name> <value>zookeeper</value> <description>monitoring for remote aliases that are added, deleted or updated in Zookeeper</description> </property>
NOTE: You can add backwardsCompatible=true property in gateway.remote.config.registry.zookeeper-client to fall back on the the ACLs used prior to this fix.