4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
23 = ZooKeeper(((ZooKeeper)))
30 A distributed Apache HBase installation depends on a running ZooKeeper cluster.
31 All participating nodes and clients need to be able to access the running ZooKeeper ensemble.
32 Apache HBase by default manages a ZooKeeper "cluster" for you.
33 It will start and stop the ZooKeeper ensemble as part of the HBase start/stop process.
34 You can also manage the ZooKeeper ensemble independent of HBase and just point HBase at the cluster it should use.
35 To toggle HBase management of ZooKeeper, use the `HBASE_MANAGES_ZK` variable in _conf/hbase-env.sh_.
36 This variable, which defaults to `true`, tells HBase whether to start/stop the ZooKeeper ensemble servers as part of HBase start/stop.
38 When HBase manages the ZooKeeper ensemble, you can specify ZooKeeper configuration directly in _conf/hbase-site.xml_.
39 A ZooKeeper configuration option can be set as a property in the HBase _hbase-site.xml_ XML configuration file by prefacing the ZooKeeper option name with `hbase.zookeeper.property`.
40 For example, the `clientPort` setting in ZooKeeper can be changed by setting the `hbase.zookeeper.property.clientPort` property.
41 For all default values used by HBase, including ZooKeeper configuration, see <<hbase_default_configurations,hbase default configurations>>.
42 Look for the `hbase.zookeeper.property` prefix.
43 For the full list of ZooKeeper configurations, see ZooKeeper's _zoo.cfg_.
44 HBase does not ship with a _zoo.cfg_ so you will need to browse the _conf_ directory in an appropriate ZooKeeper download.
46 You must at least list the ensemble servers in _hbase-site.xml_ using the `hbase.zookeeper.quorum` property.
47 This property defaults to a single ensemble member at `localhost` which is not suitable for a fully distributed HBase.
48 (It binds to the local machine only and remote clients will not be able to connect).
50 .How many ZooKeepers should I run?
53 You can run a ZooKeeper ensemble that comprises 1 node only but in production it is recommended that you run a ZooKeeper ensemble of 3, 5 or 7 machines; the more members an ensemble has, the more tolerant the ensemble is of host failures.
54 Also, run an odd number of machines.
55 In ZooKeeper, an even number of peers is supported, but it is normally not used because an even sized ensemble requires, proportionally, more peers to form a quorum than an odd sized ensemble requires.
56 For example, an ensemble with 4 peers requires 3 to form a quorum, while an ensemble with 5 also requires 3 to form a quorum.
57 Thus, an ensemble of 5 allows 2 peers to fail, and thus is more fault tolerant than the ensemble of 4, which allows only 1 down peer.
59 Give each ZooKeeper server around 1GB of RAM, and if possible, its own dedicated disk (A dedicated disk is the best thing you can do to ensure a performant ZooKeeper ensemble). For very heavily loaded clusters, run ZooKeeper servers on separate machines from RegionServers (DataNodes and TaskTrackers).
62 For example, to have HBase manage a ZooKeeper quorum on nodes _rs{1,2,3,4,5}.example.com_, bound to port 2222 (the default is 2181) ensure `HBASE_MANAGE_ZK` is commented out or set to `true` in _conf/hbase-env.sh_ and then edit _conf/hbase-site.xml_ and set `hbase.zookeeper.property.clientPort` and `hbase.zookeeper.quorum`.
63 You should also set `hbase.zookeeper.property.dataDir` to other than the default as the default has ZooKeeper persist data under _/tmp_ which is often cleared on system restart.
64 In the example below we have ZooKeeper persist to _/user/local/zookeeper_.
72 <name>hbase.zookeeper.property.clientPort</name>
74 <description>Property from ZooKeeper's config zoo.cfg.
75 The port at which the clients will connect.
79 <name>hbase.zookeeper.quorum</name>
80 <value>rs1.example.com,rs2.example.com,rs3.example.com,rs4.example.com,rs5.example.com</value>
81 <description>Comma separated list of servers in the ZooKeeper Quorum.
82 For example, "host1.mydomain.com,host2.mydomain.com,host3.mydomain.com".
83 By default this is set to localhost for local and pseudo-distributed modes
84 of operation. For a fully-distributed setup, this should be set to a full
85 list of ZooKeeper quorum servers. If HBASE_MANAGES_ZK is set in hbase-env.sh
86 this is the list of servers which we will start/stop ZooKeeper on.
90 <name>hbase.zookeeper.property.dataDir</name>
91 <value>/usr/local/zookeeper</value>
92 <description>Property from ZooKeeper's config zoo.cfg.
93 The directory where the snapshot is stored.
100 .What version of ZooKeeper should I use?
103 The newer version, the better. ZooKeeper 3.4.x is required as of HBase 1.0.0
106 .ZooKeeper Maintenance
109 Be sure to set up the data dir cleaner described under link:https://zookeeper.apache.org/doc/r3.1.2/zookeeperAdmin.html#sc_maintenance[ZooKeeper
110 Maintenance] else you could have 'interesting' problems a couple of months in; i.e.
111 zookeeper could start dropping sessions if it has to run through a directory of hundreds of thousands of logs which is wont to do around leader reelection time -- a process rare but run on occasion whether because a machine is dropped or happens to hiccup.
114 == Using existing ZooKeeper ensemble
116 To point HBase at an existing ZooKeeper cluster, one that is not managed by HBase, set `HBASE_MANAGES_ZK` in _conf/hbase-env.sh_ to false
121 # Tell HBase whether it should manage its own instance of ZooKeeper or not.
122 export HBASE_MANAGES_ZK=false
125 Next set ensemble locations and client port, if non-standard, in _hbase-site.xml_.
127 When HBase manages ZooKeeper, it will start/stop the ZooKeeper servers as a part of the regular start/stop scripts.
128 If you would like to run ZooKeeper yourself, independent of HBase start/stop, you would do the following
132 ${HBASE_HOME}/bin/hbase-daemons.sh {start,stop} zookeeper
135 Note that you can use HBase in this manner to spin up a ZooKeeper cluster, unrelated to HBase.
136 Just make sure to set `HBASE_MANAGES_ZK` to `false` if you want it to stay up across HBase restarts so that when HBase shuts down, it doesn't take ZooKeeper down with it.
138 For more information about running a distinct ZooKeeper cluster, see the ZooKeeper link:https://zookeeper.apache.org/doc/current/zookeeperStarted.html[Getting
140 Additionally, see the link:https://cwiki.apache.org/confluence/display/HADOOP2/ZooKeeper+FAQ#ZooKeeperFAQ-7[ZooKeeper Wiki] or the link:https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html#sc_zkMulitServerSetup[ZooKeeper
141 documentation] for more information on ZooKeeper sizing.
144 == SASL Authentication with ZooKeeper
146 Newer releases of Apache HBase (>= 0.92) will support connecting to a ZooKeeper Quorum that supports SASL authentication (which is available in ZooKeeper versions 3.4.0 or later).
148 This describes how to set up HBase to mutually authenticate with a ZooKeeper Quorum.
149 ZooKeeper/HBase mutual authentication (link:https://issues.apache.org/jira/browse/HBASE-2418[HBASE-2418]) is required as part of a complete secure HBase configuration (link:https://issues.apache.org/jira/browse/HBASE-3025[HBASE-3025]). For simplicity of explication, this section ignores additional configuration required (Secure HDFS and Coprocessor configuration). It's recommended to begin with an HBase-managed ZooKeeper configuration (as opposed to a standalone ZooKeeper quorum) for ease of learning.
151 === Operating System Prerequisites
153 You need to have a working Kerberos KDC setup.
154 For each `$HOST` that will run a ZooKeeper server, you should have a principle `zookeeper/$HOST`.
155 For each such host, add a service key (using the `kadmin` or `kadmin.local` tool's `ktadd` command) for `zookeeper/$HOST` and copy this file to `$HOST`, and make it readable only to the user that will run zookeeper on `$HOST`.
156 Note the location of this file, which we will use below as _$PATH_TO_ZOOKEEPER_KEYTAB_.
158 Similarly, for each `$HOST` that will run an HBase server (master or regionserver), you should have a principle: `hbase/$HOST`.
159 For each host, add a keytab file called _hbase.keytab_ containing a service key for `hbase/$HOST`, copy this file to `$HOST`, and make it readable only to the user that will run an HBase service on `$HOST`.
160 Note the location of this file, which we will use below as _$PATH_TO_HBASE_KEYTAB_.
162 Each user who will be an HBase client should also be given a Kerberos principal.
163 This principal should usually have a password assigned to it (as opposed to, as with the HBase servers, a keytab file) which only this user knows.
164 The client's principal's `maxrenewlife` should be set so that it can be renewed enough so that the user can complete their HBase client processes.
165 For example, if a user runs a long-running HBase client process that takes at most 3 days, we might create this user's principal within `kadmin` with: `addprinc -maxrenewlife 3days`.
166 The ZooKeeper client and server libraries manage their own ticket refreshment by running threads that wake up periodically to do the refreshment.
168 On each host that will run an HBase client (e.g. `hbase shell`), add the following file to the HBase home directory's _conf_ directory:
174 com.sun.security.auth.module.Krb5LoginModule required
180 We'll refer to this JAAS configuration file as _$CLIENT_CONF_ below.
182 === HBase-managed ZooKeeper Configuration
184 On each node that will run a zookeeper, a master, or a regionserver, create a link:http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html[JAAS] configuration file in the conf directory of the node's _HBASE_HOME_ directory that looks like the following:
190 com.sun.security.auth.module.Krb5LoginModule required
192 keyTab="$PATH_TO_ZOOKEEPER_KEYTAB"
195 principal="zookeeper/$HOST";
198 com.sun.security.auth.module.Krb5LoginModule required
201 keyTab="$PATH_TO_HBASE_KEYTAB"
202 principal="hbase/$HOST";
206 where the _$PATH_TO_HBASE_KEYTAB_ and _$PATH_TO_ZOOKEEPER_KEYTAB_ files are what you created above, and `$HOST` is the hostname for that node.
208 The `Server` section will be used by the ZooKeeper quorum server, while the `Client` section will be used by the HBase master and regionservers.
209 The path to this file should be substituted for the text _$HBASE_SERVER_CONF_ in the _hbase-env.sh_ listing below.
211 The path to this file should be substituted for the text _$CLIENT_CONF_ in the _hbase-env.sh_ listing below.
213 Modify your _hbase-env.sh_ to include the following:
218 export HBASE_OPTS="-Djava.security.auth.login.config=$CLIENT_CONF"
219 export HBASE_MANAGES_ZK=true
220 export HBASE_ZOOKEEPER_OPTS="-Djava.security.auth.login.config=$HBASE_SERVER_CONF"
221 export HBASE_MASTER_OPTS="-Djava.security.auth.login.config=$HBASE_SERVER_CONF"
222 export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_SERVER_CONF"
225 where _$HBASE_SERVER_CONF_ and _$CLIENT_CONF_ are the full paths to the JAAS configuration files created above.
227 Modify your _hbase-site.xml_ on each node that will run zookeeper, master or regionserver to contain:
234 <name>hbase.zookeeper.quorum</name>
235 <value>$ZK_NODES</value>
238 <name>hbase.cluster.distributed</name>
242 <name>hbase.zookeeper.property.authProvider.1</name>
243 <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
246 <name>hbase.zookeeper.property.kerberos.removeHostFromPrincipal</name>
250 <name>hbase.zookeeper.property.kerberos.removeRealmFromPrincipal</name>
256 where `$ZK_NODES` is the comma-separated list of hostnames of the ZooKeeper Quorum hosts.
258 Start your hbase cluster by running one or more of the following set of commands on the appropriate hosts:
262 bin/hbase zookeeper start
263 bin/hbase master start
264 bin/hbase regionserver start
267 === External ZooKeeper Configuration
269 Add a JAAS configuration file that looks like:
275 com.sun.security.auth.module.Krb5LoginModule required
278 keyTab="$PATH_TO_HBASE_KEYTAB"
279 principal="hbase/$HOST";
283 where the _$PATH_TO_HBASE_KEYTAB_ is the keytab created above for HBase services to run on this host, and `$HOST` is the hostname for that node.
284 Put this in the HBase home's configuration directory.
285 We'll refer to this file's full pathname as _$HBASE_SERVER_CONF_ below.
287 Modify your hbase-env.sh to include the following:
292 export HBASE_OPTS="-Djava.security.auth.login.config=$CLIENT_CONF"
293 export HBASE_MANAGES_ZK=false
294 export HBASE_MASTER_OPTS="-Djava.security.auth.login.config=$HBASE_SERVER_CONF"
295 export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_SERVER_CONF"
298 Modify your _hbase-site.xml_ on each node that will run a master or regionserver to contain:
305 <name>hbase.zookeeper.quorum</name>
306 <value>$ZK_NODES</value>
309 <name>hbase.cluster.distributed</name>
313 <name>hbase.zookeeper.property.authProvider.1</name>
314 <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
317 <name>hbase.zookeeper.property.kerberos.removeHostFromPrincipal</name>
321 <name>hbase.zookeeper.property.kerberos.removeRealmFromPrincipal</name>
327 where `$ZK_NODES` is the comma-separated list of hostnames of the ZooKeeper Quorum hosts.
329 Also on each of these hosts, create a JAAS configuration file containing:
335 com.sun.security.auth.module.Krb5LoginModule required
337 keyTab="$PATH_TO_ZOOKEEPER_KEYTAB"
340 principal="zookeeper/$HOST";
344 where `$HOST` is the hostname of each Quorum host.
345 We will refer to the full pathname of this file as _$ZK_SERVER_CONF_ below.
347 Start your ZooKeepers on each ZooKeeper Quorum host with:
352 SERVER_JVMFLAGS="-Djava.security.auth.login.config=$ZK_SERVER_CONF" bin/zkServer start
355 Start your HBase cluster by running one or more of the following set of commands on the appropriate nodes:
359 bin/hbase master start
360 bin/hbase regionserver start
363 === ZooKeeper Server Authentication Log Output
365 If the configuration above is successful, you should see something similar to the following in your ZooKeeper server logs:
369 11/12/05 22:43:39 INFO zookeeper.Login: successfully logged in.
370 11/12/05 22:43:39 INFO server.NIOServerCnxnFactory: binding to port 0.0.0.0/0.0.0.0:2181
371 11/12/05 22:43:39 INFO zookeeper.Login: TGT refresh thread started.
372 11/12/05 22:43:39 INFO zookeeper.Login: TGT valid starting at: Mon Dec 05 22:43:39 UTC 2011
373 11/12/05 22:43:39 INFO zookeeper.Login: TGT expires: Tue Dec 06 22:43:39 UTC 2011
374 11/12/05 22:43:39 INFO zookeeper.Login: TGT refresh sleeping until: Tue Dec 06 18:36:42 UTC 2011
376 11/12/05 22:43:59 INFO auth.SaslServerCallbackHandler:
377 Successfully authenticated client: authenticationID=hbase/ip-10-166-175-249.us-west-1.compute.internal@HADOOP.LOCALDOMAIN;
378 authorizationID=hbase/ip-10-166-175-249.us-west-1.compute.internal@HADOOP.LOCALDOMAIN.
379 11/12/05 22:43:59 INFO auth.SaslServerCallbackHandler: Setting authorizedID: hbase
380 11/12/05 22:43:59 INFO server.ZooKeeperServer: adding SASL authorization for authorizationID: hbase
383 === ZooKeeper Client Authentication Log Output
385 On the ZooKeeper client side (HBase master or regionserver), you should see something similar to the following:
389 11/12/05 22:43:59 INFO zookeeper.ZooKeeper: Initiating client connection, connectString=ip-10-166-175-249.us-west-1.compute.internal:2181 sessionTimeout=180000 watcher=master:60000
390 11/12/05 22:43:59 INFO zookeeper.ClientCnxn: Opening socket connection to server /10.166.175.249:2181
391 11/12/05 22:43:59 INFO zookeeper.RecoverableZooKeeper: The identifier of this process is 14851@ip-10-166-175-249
392 11/12/05 22:43:59 INFO zookeeper.Login: successfully logged in.
393 11/12/05 22:43:59 INFO client.ZooKeeperSaslClient: Client will use GSSAPI as SASL mechanism.
394 11/12/05 22:43:59 INFO zookeeper.Login: TGT refresh thread started.
395 11/12/05 22:43:59 INFO zookeeper.ClientCnxn: Socket connection established to ip-10-166-175-249.us-west-1.compute.internal/10.166.175.249:2181, initiating session
396 11/12/05 22:43:59 INFO zookeeper.Login: TGT valid starting at: Mon Dec 05 22:43:59 UTC 2011
397 11/12/05 22:43:59 INFO zookeeper.Login: TGT expires: Tue Dec 06 22:43:59 UTC 2011
398 11/12/05 22:43:59 INFO zookeeper.Login: TGT refresh sleeping until: Tue Dec 06 18:30:37 UTC 2011
399 11/12/05 22:43:59 INFO zookeeper.ClientCnxn: Session establishment complete on server ip-10-166-175-249.us-west-1.compute.internal/10.166.175.249:2181, sessionid = 0x134106594320000, negotiated timeout = 180000
402 === Configuration from Scratch
404 This has been tested on the current standard Amazon Linux AMI.
405 First setup KDC and principals as described above.
406 Next checkout code and run a sanity check.
410 git clone https://gitbox.apache.org/repos/asf/hbase.git
412 mvn clean test -Dtest=TestZooKeeperACL
415 Then configure HBase as described above.
416 Manually edit target/cached_classpath.txt (see below):
420 bin/hbase zookeeper &
422 bin/hbase regionserver &
425 === Future improvements
427 ==== Fix target/cached_classpath.txt
429 You must override the standard hadoop-core jar file from the `target/cached_classpath.txt` file with the version containing the HADOOP-7070 fix.
430 You can use the following script to do this:
434 echo `find ~/.m2 -name "*hadoop-core*7070*SNAPSHOT.jar"` ':' `cat target/cached_classpath.txt` | sed 's/ //g' > target/tmp.txt
435 mv target/tmp.txt target/cached_classpath.txt
438 ==== Set JAAS configuration programmatically
440 This would avoid the need for a separate Hadoop jar that fixes link:https://issues.apache.org/jira/browse/HADOOP-7070[HADOOP-7070].
442 ==== Elimination of `kerberos.removeHostFromPrincipal` and`kerberos.removeRealmFromPrincipal`
446 ifdef::backend-docbook[]
449 // Generated automatically by the DocBook toolchain.
450 endif::backend-docbook[]