Help Center> MapReduce Service> Developer Guide (Normal_3.x)> HBase Development Guide (Security Mode)> Environment Preparation> Preparing for Security Authentication> Authentication for Accessing Multiple ZooKeepers
Updated on 2023-08-31 GMT+08:00
View PDF

Authentication for Accessing Multiple ZooKeepers

Scenario

To avoid ZooKeeper authentication conflicts when a client process accesses a FusionInsight ZooKeeper and a third-party ZooKeeper at the same time, sample code is provided for the HBase client to access the FusionInsight ZooKeeper and for customer applications to access the third-party ZooKeeper.

Prerequisites

You have obtained the configuration file and authentication file required for running the sample project. For details, see Preparing the Configuration Files for Connecting to the Cluster.

Sample Configuration

The following lists the authentication configuration files in the src/main/resources directory.

  • zoo.cfg
    # The configuration in jaas.conf used to connect fi 
zookeeper.zookeeper.sasl.clientconfig=Client_new[1]
# Principal of fi zookeeper server side.
zookeeper.server.principal=zookeeper/hadoop.hadoop.com[2]
# Set true if the fi cluster is security mode.
# The other two parameters do not take effect if the value is false.
zookeeper.sasl.client=true[3]

    [1] zookeeper.sasl.clientconfig: specifies the configuration in the jaas.conf file used for accessing FusionInsight ZooKeeper.

    [2] zookeeper.server.principal: specifies the principal used by the ZooKeeper server. The format is zookeeper/hadoop.System domain name, for example, zookeeper/hadoop.HADOOP.COM. To obtain the system domain name, log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust, and view the value of Local Domain.

    [3] zookeeper.sasl.client: If the MRS cluster works in the security mode, set this parameter to true. Otherwise, set this parameter to false. If this parameter is set to false, the zookeeper.sasl.clientconfig and zookeeper.server.principal parameters do not take effect.

  • jaas.conf
    Client_new {  [4]
  com.sun.security.auth.module.Krb5LoginModule required 
  useKeyTab=true
  keyTab="D:\\work\\sample_project\\src\\hbase-examples\\hbase-zk-example\\target\\classes\\conf\\user.keytab" [5]
  principal="hbaseuser1"
  useTicketCache=false
  storeKey=true
  debug=true;
};
Client {  [6]
  org.apache.zookeeper.server.auth.DigestLoginModule required
  username="bob"
  password="xxxxxx";
};

    [4] Client_new: reads configuration specified in the zoo.cfg file. When the name is changed, the corresponding configuration in the zoo.cfg file must be modified accordingly.

    [5] keyTab: specifies the path for storing the user.keytab file used by the project on the host where the sample is run. Use an absolute path to better locate the file. Use \\ in the Windows and \ in Linux.

    [6] Client: A third-party ZooKeeper uses this configuration for access. The connection authentication configuration depends on the third-party ZooKeeper version.