ZooKeeper Security

You can enable security in ZooKeeper by using the examples below. For a complete Confluent Platform security example, see the Security Tutorial.

Note

When authenticating brokers with ZooKeeper, set zookeeper.set.acl=true for all brokers. If you accept the default (zookeeper.set.acl=false), then no ACLs are created and ZooKeeper authentication is not enforced.

Enable ZooKeeper Authentication with SASL

Enable ZooKeeper authentication with SASL by using one of these methods.

  • Add the following to zookeeper.properties to enable SASL while still allowing connection without authentication:

    authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

  • Add the following to ZooKeeper JVM command line:

    -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

Require All Connections to use SASL Authentication

Add the requirement that all connections must use SASL authentication by using one of these methods.

  • Add the following to zookeeper.properties :

    requireClientAuthScheme=sasl

  • Add the following to ZooKeeper JVM command line:

    -Dzookeeper.requireClientAuthScheme=sasl

SASL with Digest-MD5

Here is an example of a ZooKeeper node JAAS file:

Server {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       user_super="adminsecret"
       user_bob="bobsecret";
};

Here is an example of a ZooKeeper client JAAS file, including brokers and admin scripts like kafka-topics:

Client {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       username="bob"
       password="bobsecret";
};

If your Kafka broker already has a JAAS file, this section must be added to it.

SASL with Kerberos

Here is an example of ZooKeeper node JAAS file:

Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/path/to/server/keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/yourzkhostname@EXAMPLE.COM";
};

Here is an example of a ZooKeeper client JAAS file, including brokers and admin scripts like kafka-topics:

Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/security/keytabs/kafka_server.keytab"
    principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};

Note

Before starting ZooKeeper, check the JAAS syntax and keytab permissions. The most common errors that prevent the server from starting are JAAS syntax errors or permissions set incorrectly on the keytab file.