Support Questions
Find answers, ask questions, and share your expertise

Question about configuring kerberized kafka connecting zookeepers that uses non-default service user

Solved Go to solution

Question about configuring kerberized kafka connecting zookeepers that uses non-default service user

Cloudera Employee

This is secure HDP 2.3 cluster. And zookeeper services run as non-default service user.

Is it supported to configure a kerberized kafka cluster to connect with zookeepers having non-default service users ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Question about configuring kerberized kafka connecting zookeepers that uses non-default service user

@rmaruthiyodan@hortonworks.com - It's supported as far as I know. You are using zookprusr (example) for zookepper , as long as zookeeper service is up , we are good.

Kafka Kerberos Doc

Client { // used for zookeeper connection
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/kafka.service.keytab"
       storeKey=true
       useTicketCache=false
       serviceName="zookeeper"
       principal="kafka/c6401.ambari.apache.org@EXAMPLE.COM";
       };

View solution in original post

2 REPLIES 2

Re: Question about configuring kerberized kafka connecting zookeepers that uses non-default service user

@rmaruthiyodan@hortonworks.com

I know there are customers doing that and as far as I know, its supported. Are you facing any issues?

Re: Question about configuring kerberized kafka connecting zookeepers that uses non-default service user

@rmaruthiyodan@hortonworks.com - It's supported as far as I know. You are using zookprusr (example) for zookepper , as long as zookeeper service is up , we are good.

Kafka Kerberos Doc

Client { // used for zookeeper connection
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/kafka.service.keytab"
       storeKey=true
       useTicketCache=false
       serviceName="zookeeper"
       principal="kafka/c6401.ambari.apache.org@EXAMPLE.COM";
       };

View solution in original post