Talk Abstract
Apache ZooKeeper plays a central role within the Accumulo architecture. Its quorum consistency model supports an overall Accumulo architecture with no single points of failure. Beyond that, Accumulo leverages ZooKeeper to store and communication configuration information for users and tables, as well as operational states of processes and tablets. For most Accumulo users, ZooKeeper is a black box full of goodness. Unfortunately, operational challenges mean we often have to delve into the dark depths to decipher what's going on when something goes wrong. In this talk, we will cover some basics about ZooKeeper's role, what it's good at and what it's not. Then we will discuss ways to debug what's stored inside of ZooKeeper, including how to overcome challenges with ZooKeeper's sometimes difficult ACL model.
Speaker
Michael Allen
Security Architect, Sqrrl
Michael Allen is Sqrrl's security architect. Before joining the team, Michael finished up 9 years working for PGP Corporation (and, post-acquisition, Symantec) in a variety of roles developing encryption software. In addition to encryption systems, Michael has extensive experience working with Java and Java-based web applications. He holds an MS in computer science from UC Santa Cruz, and a BA in Computer Science from Pomona College. When he's not making things up at work, Michael makes things up with other actors performing improvisational theater.
28. ZK-DIGEST.SH
#!/bin/bash
if [ -z ${ZOOKEEPER_HOME} ]; then
echo "Set $ZOOKEEPER_HOME before running this script"
exit 4747
fi
if [ -z ${JAVA_HOME} ]; then
echo "Set $JAVA_HOME before running this script"
exit 4747
fi
if [ $# -eq 0 ]; then
echo "usage: zk-digest.sh <digest string>"
echo ""
echo " Utility to produce authentication digests, such as you might see in ZooKeeper node ACL entries"
echo ""
echo " Example: zk-digest.sh sqrrl:secret"
exit 4747
fi
ZK_CLASSPATH="
${ZOOKEEPER_HOME}/build/classes:
${ZOOKEEPER_HOME}/build/lib/*.jar:
${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:
${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:
${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:
${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:
${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:
${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:
${ZOOKEEPER_HOME}/src/java/lib/*.jar:
${ZOOKEEPER_HOME}/conf
"
${JAVA_HOME}/bin/java -Dzookeeper.log.dir="."
-Dzookeeper.root.logger="INFO,CONSOLE"
-cp "${ZK_CLASSPATH}"
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.local.only=false
org.apache.zookeeper.server.auth.DigestAuthenticationProvider $*
29. ROOTING YOUR ZOOKEEPER
1. Create an identity
zk-digest.sh super:secret
super:secret->super:lK75jTNcA+U9vtVEw5vB51mj/w4=
This is a lie, each Accumulo instance has a name under /accumulo/instances and those have the UUIDs.
Connections are stateful within the cluster. Cluster manages the session state, clients are along for the ride, for the most part. Clients will send a keep alive ping to let the ZK server know they're still there. If ZK clients get partitioned away from client, they will go into disconnected then expired state.
Ephemeral nodes exist only as long as the session with that client exists. Accumulo takes advantage of this feature for listing available tablet servers within a cluster.
Sequential nodes are a feature of ZK. You can request to make one from the client. ZK guarantees that nodes are created with monotonically increasing values in name and that all clients see a consistent view of who owns which nodes. You can use this to make a simple mutex for things like master server ownership within a cluster.
Clients may "watch" a node to wait for updates, deletes. Watches respond one time and then need to be reset. Curator framework from Facebook takes a lot of heavy lifting out of setting up local caches of ZooKeeper nodes that are kept up to date behind the scenes.
Location has a server name (like tservers) plus a ZooKeeper client session ID. TabletLocationCache will consult this information when it finds it doesn't know where the root tablet is or the root tablet has moved servers.
Digest is the authentication scheme, more on that one in a minute. Can also be "auth", meaning anyone that did any kind of auth, "host" which is hostname (or suffix), "ip" which can be specific IP or subnet. Create, delete, read, write, ACL setting