HADOOP-18139: Allow configuration of zookeeper server principal.

Fixes #4024

Signed-off-by: Owen O'Malley <oomalley@linkedin.com>
This commit is contained in:
Owen O'Malley 2022-02-23 16:17:53 -08:00
parent 6b07c851f3
commit 12fa38d546
No known key found for this signature in database
GPG Key ID: D19EB09DAD1C5877
3 changed files with 36 additions and 0 deletions

View File

@ -399,6 +399,8 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
public static final String ZK_ACL_DEFAULT = "world:anyone:rwcda"; public static final String ZK_ACL_DEFAULT = "world:anyone:rwcda";
/** Authentication for the ZooKeeper ensemble. */ /** Authentication for the ZooKeeper ensemble. */
public static final String ZK_AUTH = ZK_PREFIX + "auth"; public static final String ZK_AUTH = ZK_PREFIX + "auth";
/** Principal name for zookeeper servers. */
public static final String ZK_SERVER_PRINCIPAL = ZK_PREFIX + "server.principal";
/** Address of the ZooKeeper ensemble. */ /** Address of the ZooKeeper ensemble. */
public static final String ZK_ADDRESS = ZK_PREFIX + "address"; public static final String ZK_ADDRESS = ZK_PREFIX + "address";

View File

@ -55,6 +55,7 @@ import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenManager; import org.apache.hadoop.security.token.delegation.web.DelegationTokenManager;
import static org.apache.hadoop.util.Time.now; import static org.apache.hadoop.util.Time.now;
import org.apache.hadoop.util.curator.ZKCuratorManager;
import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.KeeperException.NoNodeException; import org.apache.zookeeper.KeeperException.NoNodeException;
@ -98,6 +99,8 @@ public abstract class ZKDelegationTokenSecretManager<TokenIdent extends Abstract
+ "kerberos.keytab"; + "kerberos.keytab";
public static final String ZK_DTSM_ZK_KERBEROS_PRINCIPAL = ZK_CONF_PREFIX public static final String ZK_DTSM_ZK_KERBEROS_PRINCIPAL = ZK_CONF_PREFIX
+ "kerberos.principal"; + "kerberos.principal";
public static final String ZK_DTSM_ZK_KERBEROS_SERVER_PRINCIPAL = ZK_CONF_PREFIX
+ "kerberos.server.principal";
public static final String ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE = ZK_CONF_PREFIX public static final String ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE = ZK_CONF_PREFIX
+ "token.seqnum.batch.size"; + "token.seqnum.batch.size";
public static final String ZK_DTSM_TOKEN_WATCHER_ENABLED = ZK_CONF_PREFIX public static final String ZK_DTSM_TOKEN_WATCHER_ENABLED = ZK_CONF_PREFIX
@ -202,6 +205,8 @@ public abstract class ZKDelegationTokenSecretManager<TokenIdent extends Abstract
builder = builder =
CuratorFrameworkFactory CuratorFrameworkFactory
.builder() .builder()
.zookeeperFactory(new ZKCuratorManager.HadoopZookeeperFactory(
conf.get(ZK_DTSM_ZK_KERBEROS_SERVER_PRINCIPAL)))
.aclProvider(aclProvider) .aclProvider(aclProvider)
.namespace( .namespace(
conf.get(ZK_DTSM_ZNODE_WORKING_PATH, conf.get(ZK_DTSM_ZNODE_WORKING_PATH,

View File

@ -28,12 +28,16 @@ import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory; import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.transaction.CuratorOp; import org.apache.curator.framework.api.transaction.CuratorOp;
import org.apache.curator.retry.RetryNTimes; import org.apache.curator.retry.RetryNTimes;
import org.apache.curator.utils.ZookeeperFactory;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.util.ZKUtil; import org.apache.hadoop.util.ZKUtil;
import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.client.ZKClientConfig;
import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Stat; import org.apache.zookeeper.data.Stat;
import org.slf4j.Logger; import org.slf4j.Logger;
@ -148,6 +152,8 @@ public final class ZKCuratorManager {
CuratorFramework client = CuratorFrameworkFactory.builder() CuratorFramework client = CuratorFrameworkFactory.builder()
.connectString(zkHostPort) .connectString(zkHostPort)
.zookeeperFactory(new HadoopZookeeperFactory(
conf.get(CommonConfigurationKeys.ZK_SERVER_PRINCIPAL)))
.sessionTimeoutMs(zkSessionTimeout) .sessionTimeoutMs(zkSessionTimeout)
.retryPolicy(retryPolicy) .retryPolicy(retryPolicy)
.authorization(authInfos) .authorization(authInfos)
@ -428,4 +434,27 @@ public final class ZKCuratorManager {
.forPath(path, data)); .forPath(path, data));
} }
} }
public static class HadoopZookeeperFactory implements ZookeeperFactory {
private final String zkPrincipal;
public HadoopZookeeperFactory(String zkPrincipal) {
this.zkPrincipal = zkPrincipal;
}
@Override
public ZooKeeper newZooKeeper(String connectString, int sessionTimeout,
Watcher watcher, boolean canBeReadOnly
) throws Exception {
ZKClientConfig zkClientConfig = new ZKClientConfig();
if (zkPrincipal != null) {
LOG.info("Configuring zookeeper to use {} as the server principal",
zkPrincipal);
zkClientConfig.setProperty(ZKClientConfig.ZK_SASL_CLIENT_USERNAME,
zkPrincipal);
}
return new ZooKeeper(connectString, sessionTimeout, watcher,
canBeReadOnly, zkClientConfig);
}
}
} }