No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Product Description 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ZooKeeper

ZooKeeper

Enhanced Log

In security mode, ephemeral nodes will be deleted after sessions are expired. Therefore, such information is added to the audit log helping understand ephemeral node status.

Username is added in audit log for all the zookeeper client operations.

Create znode from ZooKeeper client whose kerberos principle is zkcli/hadoop.hadoop.com@HADOOP.COM. Open the <ZOO_LOG_DIR>/zookeeper_audit.log

2016-12-28 14:17:10,505 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test1?result=success 
2016-12-28 14:17:10,530 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test2?result=success 
2016-12-28 14:17:10,550 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test3?result=success 
2016-12-28 14:17:10,570 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test4?result=success 
2016-12-28 14:17:10,592 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test5?result=success 
2016-12-28 14:17:10,613 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test6?result=success 
2016-12-28 14:17:10,633 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test7?result=success

This output shows ZooKeeper client user zkcli/hadoop.hadoop.com@HADOOP.COM is logged in to the audit log.

User Details in ZooKeeper:

In ZooKeeper, different authentication schemes use different credentials as user. Based on the authentication provider requirement, any parameter can be considered as users.

For Example:

  • SASLAuthenticationProvider uses client principal as user.
  • X509AuthenticationProvider uses client certificate as user.
  • IPAuthenticationProvider uses client IP as user.
  • Custom authentication provider implements org.apache.zookeeper.server.auth.ExtAuthenticationProvider.getUserName(String) method to get the user name. If not implemented, getting user name from authentication provider instance will be skipped.

ZooKeeper SSL Communication (Netty Connector)

ZooKeeper is designed with Nio package initially and there is no good support for the SSL starting from version 3.5. To solve this problem, Netty has been added. So if you want to use SSL, enable netty and set the following parameters on both server and client sides mentioned below.

In open source, only plain text password is supported at server side, which may lead to a security issue. For the security concern, non-plain text password is used now at server side.

  • Client
    1. Set the parameter -Dzookeeper.client.secure to true in zkCli.sh/zkEnv.sh to use secure communication on client. Then the client can connect to server's secureClientPort.
    2. Set up the client environment by setting the following properties in zkCli.sh/zkEnv.sh.

Name

Description

-Dzookeeper.clientCnxnSocket

This class has to be used at the client side for netty communication.

Default value: "org.apache.zookeeper.ClientCnxnSocketNetty"

-Dzookeeper.ssl.keyStore.location

Path to your keystore file.

-Dzookeeper.ssl.keyStore.password

Encrypted password.

-Dzookeeper.ssl.trustStore.location

Path to your truststore file.

-Dzookeeper.ssl.trustStore.password

Encrypted password.

-Dzookeeper.config.crypt.class

Crypto class has been used for decrypting the encrypted password.

-Dzookeeper.ssl.password.encrypted

Default value: false

Set it to true if keystore and trust store passwords are encrypted.

-Dzookeeper.ssl.enabled.protocols

Configuration property which defines the SSL protocols to be enabled for an SSL context.

-Dzookeeepr.ssl.exclude.cipher.ext

Configuration property which defines the list of ciphers separated by a comma which should be excluded from SSL context.

NOTE:

All the properties mentioned above has to be set inside file zkCli.sh/zk.Env.sh.

  • Server
    1. Set the listening SSL port parameter secureClientPort to 3381 in file zoo.cfg.
    2. To use Netty Server, set the parameter zookeeper.serverCnxnFactory to "org.apache.zookeeper.server.NettyServerCnxnFactory" on the server side in zoo.cfg.
    3. Set up the server environment by setting the following properties in zoo.cfg(zookeeper/conf/zoo.cfg).

      Name

      Description

      ssl.keyStore.location

      Path to your keystore.jks file.

      ssl.keyStore.password

      Encrypted password.

      ssl.trustStore.location

      Path to your truststore file.

      ssl.trustStore.password

      Encrypted password.

      config.crypt.class

      Crypto class has been used for decrypting the encrypted password.

      ssl.keyStore.password.encrypted

      Default value: false

      Set it to true to use encrypted password.

      ssl.trustStore.password.encrypted

      Default value: false

      Set it to true to use encrypted password.

      ssl.enabled.protocols

      Configuration property which defines the SSL protocols to be enabled for an SSL context.

      ssl.exclude.cipher.ext

      Configuration property which defines the list of ciphers separated by a comma which should be excluded from SSL context.

    4. Start ZKserver and then connect secure client to secure port.
  • Authentication

    The authentication between client and server in Zookeeper is performed by X509AuthenticationProvider. This is initialized with server certificates and trusted client certificates specified according to the following properties.

    • zookeeper.ssl.keyStore.location
    • zookeeper.ssl.keyStore.password
    • zookeeper.ssl.trustStore.location
    • zookeeper.ssl.trustStore.password
NOTE:

If you do not want to use default mechanism of ZooKeeper, then it can be configured with different trust mechanisms, according to your choice.

Download
Updated: 2019-05-17

Document ID: EDOC1100074548

Views: 3139

Downloads: 36

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next