####Table of Contents
-
Module Description - What the module does and why it is useful
-
Reference - An under-the-hood peek at what the module is doing and how
The zookeeper module installs and configures Apache Zookeeper quorum cluster. Optionally, the security can be enabled.
This module install and configure Apache Zookeeper quorum cluster. It expects list of hostnames, where zookeeper should be running. Zookeeper IDs will be generated according to the ordering of these hostnames.
Optionally the security based on Kerberos can be enabled.
Supported are:
- Debian 7/wheezy: Cloudera distribution (tested with CDH 5.3.0/zookeeper 3.4.5)
- Ubuntu 14/trusty
- RHEL 6, CentOS 6, Scientific Linux 6: Cloudera distribution (tested with CDH 5.4.2/zookeeper 3.4.5)
###What cesnet-zookeeper module affects
- Packages: zookeeper server package
- Alternatives:
- alternatives are used for /etc/zookeeper/conf in Cloudera
- this module switches to the new alternative by default on Debian, so the Cloudera original configuration can be kept intact
- Files modified:
- /etc/zookeeper/conf*
- /var/lib/zookeeper/*
- Secret files (keytab): ownerships and permissions modified
- Java system properties set for Zookeeper:
- java.security.auth.login.config
- zookeeper.security.auth_to_local
There are several known or intended limitations in this module.
Be aware of:
-
Repositories - see cesnet-hadoop module Setup Requirements for details
-
Secure mode: keytab must be prepared in /etc/security/keytabs/zookeeper.service.keytab (see realm parameter)
Example: one-machine zookeeper quorum without security:
class{'zookeeper':
hostnames => [ $::fqdn ],
realm => '',
}
It is recommended to have at least three or more (odd-numbered) zookeeper machines. All zookeeper hostnames must be specified in hostnames and the order must be the same across all of the nodes.
Example: Setup with security:
class{'zookeeper':
hostnames => [ $::fqdn ],
realm => 'MY.REALM',
}
The keytab file must be available at /etc/security/keytabs/zookeeper.service.keytab.
Note: you can consider removing or changing property zookeeper.security.auth_to_local:
properties => {
'zookeeper.security.auth_to_local' => '::undef',
}
Default value is valid for principal names according to Hadoop documentation at http://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SecureMode.html and it is needed only with cross-realm authentication.
It is recommended to set super user credentials (for example to be able to restore bad ACLs).
####Get the digest string: (replace $PASSWORD by real password)
export ZK_HOME=/usr/lib/zookeeper
java -cp $ZK_HOME/lib/*:$ZK_HOME/zookeeper.jar org.apache.zookeeper.server.auth.DigestAuthenticationProvider super:$PASSWORD
####Use the digest in properties:
class{'zookeeper':
hostnames => [ $::fqdn ],
realm => 'MY.REALM',
properties => {
zookeeper.DigestAuthenticationProvider.superDigest => 'super:XXXXX',
},
}
####Using in the client:
zooclient-cli
addauth digest super:PASSWORD
- config.pp
- init.pp: Setup Zookeeper Cluster
- install.pp
- params.pp
- service.pp
####alternatives
Use alternatives to switch configuration. Use only when supported (Cloudera for example).
####hostnames (empty)
Array of zookeeper nodes hostnames.
####realm (required)
Kerberos realm. Required parameter, empty string disables Kerberos authentication.a
To enable security, there are required:
- configured Kerberos (/etc/krb5.conf, /etc/krb5.keytab)
- /etc/security/keytab/zookeeper.service.keytab (on zookeeper nodes)
- Repository: https://github.com/MetaCenterCloudPuppet/cesnet-zookeeper
- Tests: https://github.com/MetaCenterCloudPuppet/hadoop-tests
- Email: František Dvořák <[email protected]>