XenonStack Recommends

Continuous Security

How to Secure Apache Zookeeper with Kerberos?

Parveen Bhandari | 07 March 2022


XenonStack White Arrow

Thanks for submitting the form.

Introduction to Apache Zookeeper Security

Before learning about Apache Zookeeper Security, first of all, know what actually Zookeeper is. Zookeeper is a data managing service which is distributed and is in coordination with each other. This service helps us in managing large hosts, maintenance and configuring information, and also provides group services.

What is Apache Zookeeper?

Zookeeper is mainly helpful in managing the large distributed environments which form a complex cluster an is difficult to manage properly. If we look at the origin of the zookeeper, it was built by the yahoo. But due to its simple architecture, it becomes a standard for organizations like Hadoop, Hbase, and many other frameworks. In past times, when these distributed applications are implemented most of the time and work is spent in fixing these Bugs which occurs at the time. So in regards to that Zookeeper is the best choice over that. Zookeeper keeps full control over the synchronization process and coordination across the whole cluster present in the nutshell.

A centralized service for naming, configuration information, providing group services, and providing distributed synchronization. Click to explore about, Apache ZooKeeper on Kubernetes

What is the architecture of Zookeeper?

The Basic Architecture of Zookeeper consists of a simple client-server model in which they both act as nodes. This type of architecture of Zookeeper helps in reducing the latency and provides high availability. This consists of the client library in which applications makes calls and the interaction of these calls and servers takes place there. The architecture is designed in such a way that it can easy to implement and operate. This must have a high capacity to tolerate failures and high tendency to recover from the failure in case of an exit. This Zookeeper runs in two modes i.e. standalone and quorum. In case of standalone mode, Zookeeper has a single server and it is not in the state of replication. In case of quorum or also called a Zookeeper ensemble there are a group of Zookeeper servers which have a tendency of state replication and work as in a group to serve the client requests.

This basic idea Zookeeper Architecture shows us is that one Zookeeper client is connected to one Zookeeper server. The requests that are coming from the clients are handled by the servers and each server have the capability to handle a large number of clients at each time. The client sends a ping request to the server to make sure that it is in an alive state and is connected to the server. In response to that request, Server acknowledges the ping that responds server is alive and in return sends him the response. But in case of the client does not receive any response or acknowledgment from the server within some time it will then try to connect to a different server in the ensemble. In this way, the session of the client is transferred to different Zookeeper server.

Apache Flink provides first-class support for authentication of Kerberos only while providing effortless requirement to all connectors related to security. Click to explore about, Apache Flink Security and its Deployment

How to secure Apache Zookeeper with Kerberos?

For Apache Zookeeper Security, the authentication process takes place at the server side and at the client side(which is an optional case ). A keytab file is generated under some policy and this is placed under some configurations files that will be helping us to authenticate the security through Kerberos authentication.
  • First of all, we have to Create a principal for each Zookeeper Quorum Server host. This can be done by the following command
kadmin: addprinc -randkey zookeeper/host_fqdn@REALM
  •  Now we have to create Keytab files for each Zookeeper server host. To do this run the following command
ktadd -norandkey -k /etc/security/phd/keytab/zookeeper-hostid.service.keytab zookeeper/host_fqdn@REALM
  • This created Zookeeper Keytab file Has to be distributed for each Zookeeper server host. Make entry of this file to the /etc/security/phd/keytab directory and then assign them permission by running the following commands.
chgrp hadoop zookeeper-hostid.service.keytab

chown zookeeper zookeeper-hostid.service.keytab

chmod 400 zookeeper-hostid.service.keytab

ln -s zookeeper-hostid.service.keytab zookeeper.service.keytab
  • Now Edit the Zookeeper Configuration File and Add the following lines to /etc/gphd/zookeeper/conf/zoo.cfg authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000
  • Now by creating a file in the /etc/gphd/zookeeper/conf/jaas.conf and then enter the following
Server {
com.sun.security.auth.module.Krb5LoginModule required
    • Now create the file and add these lines at
      /etc/gphd/zookeeper/conf/java.env and then add export JVMFLAGS="-Djava.security.auth.login.config=/etc/gphd/zookeeper/conf/jaas.conf"
      Sometimes the JVMFLAGS already exit so we can modify them as
      export JVMFLAGS="-Xmx2048m -Djava.security.auth.login.config=/etc/gphd/zookeeper/conf/jaas.conf"
Now we can verify Zookeeper configuration as Start up the cluster and connect using a client. Connect as:
zookeeper-client -server hostname:port
Create a protected znode
create /testznode testznodedata sasl:zkcli@REALM:cdwra
This node can be verified as
getAcl /testznode:
We will be getting results like
: cdrwa
This will be helping us to secure session with the Zookeeper client and we have to test this by starting Zookeeper client and then connecting to it.


Apache Zookeeper due to its comprehensive feature helps to process enterprise data faster, solving complex data problem in very less time. However, providing security to secure operational data matters the most. To know more about Apache Zookeeper,  we advise taking the following steps –