我的书签
添加书签
移除书签- Select the mechanisms to enable in the bookies.
GSSAPIis the only mechanism currently supported by BookKeeper. - Add a
JAASconfig file for the selected mechanisms as described in the examples for setting up GSSAPI (Kerberos). Pass the
JAASconfig file location as JVM parameter to each Bookie. For example:Enable SASL auth plugin in bookies, by setting
bookieAuthProviderFactoryClasstoorg.apache.bookkeeper.sasl.SASLBookieAuthProviderFactory.bookieAuthProviderFactoryClass=org.apache.bookkeeper.sasl.SASLBookieAuthProviderFactory
If you are running
autorecoveryalong with bookies, then you want to enable SASL auth plugin forautorecovery, by settingclientAuthProviderFactoryClasstoorg.apache.bookkeeper.sasl.SASLClientProviderFactory.clientAuthProviderFactoryClass=org.apache.bookkeeper.sasl.SASLClientProviderFactory
Follow the steps in to configure SASL.
Important Notes
Bookieis a section name in the JAAS file used by each bookie. This section tells the bookie which principal to use and the location of the keytab where the principal is stored. It allows the bookie to login using the keytab specified in this section.Auditoris a section name in the JASS file used byautorecoverydaemon (it can be co-run with bookies). This section tells theautorecoverydaemon which principal to use and the location of the keytab where the principal is stored. It allows the bookie to login using the keytab specified in this section.- The
Clientsection is used to authenticate a SASL connection with ZooKeeper. It also allows the bookies to set ACLs on ZooKeeper nodes which locks these nodes down so that only the bookies can modify it. It is necessary to have the same primary name across all bookies. If you want to use a section name other thanClient, set the system propertyzookeeper.sasl.clientto the appropriate name (e.g-Dzookeeper.sasl.client=ZKClient). - ZooKeeper uses
zookeeperas the service name by default. If you want to change this, set the system propertyzookeeper.sasl.client.usernameto the appropriate name (e.g.-Dzookeeper.sasl.client.username=zk).
To configure SASL authentication on the clients:
- Select a
SASLmechanism for authentication and add aJAASconfig file for the selected mechanism as described in the examples for setting up . Configure the following properties in bookkeeper
ClientConfiguration:
Follow the steps in GSSAPI (Kerberos) to configure SASL for the selected mechanism.
Kerberos
Kerberos Principals
If you are using the organization’s Kerberos or Active Directory server, ask your Kerberos administrator for a principal for each Bookie in your cluster and for every operating system user that will access BookKeeper with Kerberos authentication (via clients and tools).
If you have installed your own Kerberos, you will need to create these principals yourself using the following commands:
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey bookkeeper/{hostname}@{REALM}'sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab bookkeeper/{hostname}@{REALM}"
All hosts must be reachable using hostnames
It is a Kerberos requirement that all your hosts can be resolved with their FQDNs.
Add a suitably modified JAAS file similar to the one below to each Bookie’s config directory, let’s call it
bookie_jaas.conffor this example (note that each bookie should have its own keytab):Bookie {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truestoreKey=truekeyTab="/etc/security/keytabs/bookie.keytab"principal="bookkeeper/bk1.hostname.com@EXAMPLE.COM";};// ZooKeeper client authenticationClient {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truestoreKey=truekeyTab="/etc/security/keytabs/bookie.keytab"principal="bookkeeper/bk1.hostname.com@EXAMPLE.COM";};// If you are running `autorecovery` along with bookiesAuditor {storeKey=truekeyTab="/etc/security/keytabs/bookie.keytab"principal="bookkeeper/bk1.hostname.com@EXAMPLE.COM";};
The
Bookiesection in the JAAS file tells the bookie which principal to use and the location of the keytab where this principal is stored. It allows the bookie to login using the keytab specified in this section. See notes for more details on Zookeeper’s SASL configuration.Pass the name of the JAAS file as a JVM parameter to each Bookie:
-Djava.security.auth.login.config=/etc/bookkeeper/bookie_jaas.conf
You may also wish to specify the path to the
krb5.conffile (see for more details):Make sure the keytabs configured in the JAAS file are readable by the operating system user who is starting the Bookies.
-
bookieAuthProviderFactoryClass=org.apache.bookkeeper.sasl.SASLBookieAuthProviderFactory# if you run `autorecovery` along with bookiesclientAuthProviderFactoryClass=org.apache.bookkeeper.sasl.SASLClientProviderFactory
To configure SASL authentication on the clients:
Clients will authenticate to the cluster with their own principal (usually with the same name as the user running the client), so obtain or create these principals as needed. Then create a
JAASfile for each principal. TheBookKeepersection describes how the clients like writers and readers can connect to the Bookies. The following is an example configuration for a client using a keytab (recommended for long-running processes):BookKeeper {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truestoreKey=truekeyTab="/etc/security/keytabs/bookkeeper.keytab"principal="bookkeeper-client-1@EXAMPLE.COM";};
Pass the name of the JAAS file as a JVM parameter to the client JVM:
-Djava.security.auth.login.config=/etc/bookkeeper/bookkeeper_jaas.conf
You may also wish to specify the path to the
krb5.conffile (see JDK’s Kerberos Requirements for more details).Make sure the keytabs configured in the
bookkeeper_jaas.confare readable by the operating system user who is starting bookkeeper client.Enable SASL authentication plugin in the client by setting following parameters.
To enable SASL debug output, you can set sun.security.krb5.debug system property to .
