How to Secure Apache Zookeeper with Kerberos

Securing Zookeeper with Kerberos

Before learning about Apache Zookeeper Security, first of all, know what actually Zookeeper is. Zookeeper is a data managing service which is distributed and is in coordination with each other. This service helps us in managing large hosts, maintenance and configuring information, and also provides group services. Zookeeper is mainly helpful in managing the large distributed environments which form a complex cluster an is difficult to manage properly.

If we look at the origin of the zookeeper, it was built by the yahoo. But due to its simple architecture, it becomes a standard for organizations like Hadoop, Hbase, and many other frameworks. In past times, when these distributed applications are implemented most of the time and work is spent in fixing these Bugs which occurs at the time. So in regards to that Zookeeper is the best choice over that. Zookeeper keeps full control over the synchronization process and coordination across the whole cluster present in the nutshell.

Architecture of Zookeeper

The Basic Architecture of Zookeeper consists of a simple client-server model in which they both act as nodes. This type of architecture of Zookeeper helps in reducing the latency and provides high availability. This consists of the client library in which applications makes calls and the interaction of these calls and servers takes place there. The architecture is designed in such a way that it can easy to implement and operate. This must have a high capacity to tolerate failures and high tendency to recover from the failure in case of an exit.

This Zookeeper runs in two modes i.e. standalone and quorum. In case of standalone mode, Zookeeper has a single server and it is not in the state of replication. In case of quorum or also called a Zookeeper ensemble there are a group of Zookeeper servers which have a tendency of state replication and work as in a group to serve the client requests. This basic idea Zookeeper Architecture shows us is that one Zookeeper client is connected to one Zookeeper server.

The requests that are coming from the clients are handled by the servers and each server have the capability to handle a large number of clients at each time. The client sends a ping request to the server to make sure that it is in an alive state and is connected to the server. In response to that request, Server acknowledges the ping that responds server is alive and in return sends him the response. But in case of the client does not receive any response or acknowledgment from the server within some time it will then try to connect to a different server in the ensemble. In this way, the session of the client is transferred to different Zookeeper server.

Apache Zookeeper Security with Kerberos

For Apache Zookeeper Security, the authentication process takes place at the server side and at the client side(which is an optional case ). A keytab file is generated under some policy and this is placed under some configurations files that will be helping us to authenticate the security through Kerberos authentication.

kadmin: addprinc -randkey zookeeper/host_fqdn@REALM
ktadd -norandkey -k /etc/security/phd/keytab/zookeeper-hostid.service.keytab zookeeper/host_fqdn@REALM
chgrp hadoop zookeeper-hostid.service.keytab chown zookeeper zookeeper-hostid.service.keytab chmod 400 zookeeper-hostid.service.keytab ln -s zookeeper-hostid.service.keytab zookeeper.service.keytab

• Now Edit the Zookeeper Configuration File and Add the following lines to /etc/gphd/zookeeper/conf/zoo.cfg
  authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000
• Now by creating a file in the /etc/gphd/zookeeper/conf/jaas.conf and then enter the following

Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/phd/keytab/zookeeper-hostid.service.keytab" storeKey=true useTicketCache=false principal="zookeeper/host_fqdn@REALM"; };
/etc/gphd/zookeeper/conf/java.env and then add export JVMFLAGS="-Djava.security.auth.login.config=/etc/gphd/zookeeper/conf/jaas.conf"

Sometimes the JVMFLAGS already exit so we can modify them as

export JVMFLAGS="-Xmx2048m -Djava.security.auth.login.config=/etc/gphd/zookeeper/conf/jaas.conf"

Now we can verify Zookeeper configuration as

Start up the cluster and connect using a client.
Connect as:

zookeeper-client -server hostname:port

Create a protected znode

create /testznode testznodedata sasl:zkcli@REALM:cdwra

This node can be verified as

getAcl /testznode:

We will be getting results like

'sasl,'zkcli@{{BIGDATA.COM%7D%7D : cdrwa

This will be helping us to secure session with the Zookeeper client and we have to test this by starting Zookeeper client and then connecting to it.

An Approach to Apache Zookeeper Security

Apache Zookeeper due to its comprehensive feature helps to process enterprise data faster, solving complex data problem in very less time. However, providing security to secure operational data matters the most. To know more about Apache Zookeeper, we advise taking the following steps -

• Learn more about “Secure Apache Storm with Kerberos“
• Get in Touch with us to know how to enable Apache Zookeeper Security
• Get an insight “Secure HBase with Kerberos“

Originally published at https://www.xenonstack.com on May 9, 2019.