ZooKeeper ACLs Best Practices: Ranger KMS/Hadoop KMS

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Ranger KMS/Hadoop KMS when provisioning a secure cluster.

ZooKeeper Usage:
- If multiple instances of KMS are configured, both Ranger KMS and Hadoop KMS use zookeeper znode /hadoop-kms to store HTTP cookie signature secret. See “Http Authentication Signature” section here.
  
  /hadoop-kms - <HTTP cookie signature secret>
Default ACLs:
- /hadoop-kms - world:anyone:cdrwa
Security Best Practice ACLs/Permissions and Required Steps:
- /hadoop-kms - sasl:rangerkms:cdrwa
- Ranger KMS uses the user rangerkms. Only KMS needs access to this znode. This path (hadoop.kms.authentication.signer.secret.provider.zookeeper.path) can be configured in Ambari for Ranger KMS. Set the ACL using these steps:
  1. SSH to the cluster where Ranger KMS is present.
  2. Go to /usr/hdp/<version>/zookeeper/bin
  3. Run ./zkCli.sh -server <FQDN of Ranger KMS host>:2181”
  4. After it connects, run: ls /
  5. Verify there is a folder as specified in hadoop.kms.authentication.signer.secret.provider.zookeeper.path property of Ranger KMS configuration.
  6. Execute getAcl /hadoop-kms and if the permission is for world,anyone: cdrwa, restrict the permission to sasl:rangerkms:cdrwa using this command: setAcl /hadoop-kms sasl:rangerkms:cdrwa.
  7. Repeat the above step for all the clusters where Ranger KMS is installed.
```
[zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 0] getAcl /hadoop-kms
'world,'anyone
: cdrwa
[zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 4] setAcl /hadoop-kms sasl:rangerkms:cdrwa
cZxid = 0x20000001e
ctime = Tue Jun 07 12:22:58 UTC 2016
mZxid = 0x20000001e
mtime = Tue Jun 07 12:22:58 UTC 2016
pZxid = 0x20000001f
cversion = 1
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 0
numChildren = 1
[zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 5] getAcl /hadoop-kms 
'sasl,'rangerkms
: cdrwa
[zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 6]
```