Updated on 2024-08-12 GMT+08:00

Authentication for Accessing Multiple ZooKeepers

Scenario

To avoid ZooKeeper authentication conflicts when a client process accesses a FusionInsight ZooKeeper and a third-party ZooKeeper at the same time, sample code is provided for the HBase client to access the FusionInsight ZooKeeper and for customer applications to access the third-party ZooKeeper.

Prerequisites

You have obtained the configuration file and authentication file required for running the sample project. For details, see Preparing the Configuration Files for Connecting to the Cluster.

Sample Configuration

The following lists the authentication configuration files in the src/main/resources directory.

  • zoo.cfg
    # The configuration in jaas.conf used to connect fi 
    zookeeper.zookeeper.sasl.clientconfig=Client_new[1]
    # Principal of fi zookeeper server side.
    zookeeper.server.principal=zookeeper/hadoop.hadoop.com[2]
    # Set true if the fi cluster is security mode.
    # The other two parameters do not take effect if the value is false.
    zookeeper.sasl.client=true[3]

    [1] zookeeper.sasl.clientconfig: specifies the configuration in the jaas.conf file used for accessing FusionInsight ZooKeeper.

    [2] zookeeper.server.principal: specifies the principal used by the ZooKeeper server. The format is zookeeper/hadoop.System domain name, for example, zookeeper/hadoop.HADOOP.COM. To obtain the system domain name, log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust, and view the value of Local Domain.

    [3] zookeeper.sasl.client: If the MRS cluster works in the security mode, set this parameter to true. Otherwise, set this parameter to false. If this parameter is set to false, the zookeeper.sasl.clientconfig and zookeeper.server.principal parameters do not take effect.

  • jaas.conf
    Client_new {  [4]
      com.sun.security.auth.module.Krb5LoginModule required 
      useKeyTab=true
      keyTab="D:\\work\\sample_project\\src\\hbase-examples\\hbase-zk-example\\target\\classes\\conf\\user.keytab" [5]
      principal="hbaseuser1"
      useTicketCache=false
      storeKey=true
      debug=true;
    };
    Client {  [6]
      org.apache.zookeeper.server.auth.DigestLoginModule required
      username="bob"
      password="xxxxxx"; [7]
    };

    [4] Client_new: reads configuration specified in the zoo.cfg file. When the name is changed, the corresponding configuration in the zoo.cfg file must be modified accordingly.

    [5] keyTab: specifies the path for storing the user.keytab file used by the project on the host where the sample is run. Use an absolute path to better locate the file. Use \\ in the Windows and \ in Linux.

    [6] Client: A third-party ZooKeeper uses this configuration for access. The connection authentication configuration depends on the third-party ZooKeeper version.

    [7] Password: Passwords stored in plaintext pose security risks. Store them in ciphertext in configuration files or environment variables.