2. Securing Zookeeper with Kerberos (optional)

	Note
	Before starting the following steps, refer to Setting up Security for Manual Installs.

(Optional) To secure Zookeeper with Kerberos, perform the following steps on the host that runs KDC (Kerberos Key Distribution Center):

Start the kadmin.local utility:
/usr/sbin/kadmin.local
Create a principal for Zookeeper:
sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'
Create a keytab for Zookeeper:
sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"
Copy the keytab to all Zookeeper nodes in the cluster.
Note
Verify that only the Zookeeper and Storm operating system users can access the Zookeeper keytab.

Administrators must add the following properties to the zoo.cfg configuration file located at /etc/zookeeper/conf:

authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal = true
kerberos.removeRealmFromPrincipal = true

Note

Grant the zookeeper user shell access on Ubuntu and Debian.

usermod -s /bin/bash zookeeper

Legal notices

	Note
	Verify that only the Zookeeper and Storm operating system users can access the Zookeeper keytab.