Updated on 2022-12-08 GMT+08:00

ZooKeeper Enhanced Open Source Features

Enhanced Log

In security mode, an ephemeral node is deleted as long as the session that created the node expires. Ephemeral node deletion is recorded in audit logs so that ephemeral node status can be obtained.

Usernames must be added to audit logs for all operations performed on ZooKeeper clients.

On the ZooKeeper client, create a znode, of which the Kerberos principal is zkcli/hadoop.<System domain name>@<System domain name>.

For example, open the <ZOO_LOG_DIR>/zookeeper_audit.log file. The file content is as follows:

2016-12-28 14:17:10,505 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test1?result=success 
2016-12-28 14:17:10,530 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test2?result=success 
2016-12-28 14:17:10,550 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test3?result=success 
2016-12-28 14:17:10,570 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test4?result=success 
2016-12-28 14:17:10,592 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test5?result=success 
2016-12-28 14:17:10,613 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test6?result=success 
2016-12-28 14:17:10,633 | INFO  | CommitProcWorkThread-4 | session=0x12000007553b4903?user=10.177.223.78,zkcli/hadoop.hadoop.com@HADOOP.COM?ip=10.177.223.78?operation=create znode?target=ZooKeeperServer?znode=/test7?result=success

The content shows that logs of the ZooKeeper client user zkcli/hadoop.hadoop.com@HADOOP.COM are added to the audit log.

User details in ZooKeeper

In ZooKeeper, different authentication schemes use different credentials as users. Based on the authentication provider requirement, any parameter can be considered as users.

Example:

  • SAMLAuthenticationProvider uses the client principal as a user.
  • X509AuthenticationProvider uses the user client certificate as a user.
  • IAuthenticationProvider uses the client IP address as a user.
  • A username can be obtained from the custom authentication provider by implementing the org.apache.zookeeper.server.auth.ExtAuthenticationProvider.getUserName(String) method. If the method is not implemented, getting the username from the authentication provider instance will be skipped.

Enhanced Open Source Feature: ZooKeeper SSL Communication (Netty Connection)

The ZooKeeper design contains the Nio package and does not support SSL later than version 3.5. To solve this problem, Netty is added to ZooKeeper. Therefore, if you need to use SSL, enable Netty and set the following parameters on the server and client:

The open source server supports only plain text passwords, which may cause security problems. Therefore, such text passwords are no longer used on the server.

  • Client
    1. Set -Dzookeeper.client.secure in the zkCli.sh/zkEnv.sh file to true to use secure communication on the client. Then, the client can connect to the secureClientPort on the server.
    2. Set the following parameters in the zkCli.sh/zkEnv.sh file to configure the client environment:

      Parameter

      Description

      -Dzookeeper.clientCnxnSocket

      Used for Netty communication between clients.

      Default value: org.apache.zookeeper.ClientCnxnSocketNetty

      -Dzookeeper.ssl.keyStore.location

      Indicates the path for storing the keystore file.

      -Dzookeeper.ssl.keyStore.password

      Encrypts a password.

      -Dzookeeper.ssl.trustStore.location

      Indicates the path for storing the truststore file.

      -Dzookeeper.ssl.trustStore.password

      Encrypts a password.

      -Dzookeeper.config.crypt.class

      Decrypts an encrypted password.

      -Dzookeeper.ssl.password.encrypted

      Default value: false

      If the keystore and truststore passwords are encrypted, set this parameter to true.

      -Dzookeeper.ssl.enabled.protocols

      Defines the SSL protocols to be enabled for the SSL context.

      -Dzookeeper.ssl.exclude.cipher.ext

      Defines the list of passwords separated by a comma which should be excluded from the SSL context.

      The preceding parameters must be set in the zkCli.sh/zk.Env.sh file.

  • Server
    1. Set secureClientPort to 3381 in the zoo.cfg file.
    2. Set zookeeper.serverCnxnFactory to org.apache.zookeeper.server.NettyServerCnxnFactory in the zoo.cfg file on the server.
    3. Set the following parameters in the zoo.cfg file (in the zookeeper/conf/zoo.cfg path) to configure the server environment:

      Parameter

      Description

      ssl.keyStore.location

      Path for storing the keystore.jks file

      ssl.keyStore.password

      Encrypts a password.

      ssl.trustStore.location

      Indicates the path for storing the truststore file.

      ssl.trustStore.password

      Encrypts a password.

      config.crypt.class

      Decrypts an encrypted password.

      ssl.keyStore.password.encrypted

      Default value: false

      If this parameter is set to true, the encrypted password can be used.

      ssl.trustStore.password.encrypted

      Default value: false

      If this parameter is set to true, the encrypted password can be used.

      ssl.enabled.protocols

      Defines the SSL protocols to be enabled for the SSL context.

      ssl.exclude.cipher.ext

      Defines the list of passwords separated by a comma which should be excluded from the SSL context.

    4. Start ZKserver and connect the security client to the security port.
  • Credential

    The credential used between client and server in ZooKeeper is X509AuthenticationProvider. This credential is initialized using the server certificates specified and trusted by the following parameters:

    • zookeeper.ssl.keyStore.location
    • zookeeper.ssl.keyStore.password
    • zookeeper.ssl.trustStore.location
    • zookeeper.ssl.trustStore.password

    If you do not want to use default mechanism of ZooKeeper, then it can be configured with different trust mechanisms as needed.