RANGER-5441: update Docker setup to support running Zookeeper with Kerberos (apache#808)

mneethiraj · kumaab · mneethiraj · commit 1e1f0db75cc7 · 2026-01-17T20:43:02.000-08:00
Co-authored-by: Abhishek Kumar <abhi@apache.org> (cherry picked from commit 3bd69c1)
diff --git a/dev-support/ranger-docker/.env b/dev-support/ranger-docker/.env
@@ -51,7 +51,7 @@ TAGSYNC_VERSION=3.0.0-SNAPSHOT
 SOLR_VERSION=8.11.2
 
 # Zookeeper Configuration
-ZK_VERSION=3.8.4
+ZK_VERSION=3.9.2
 
 # Kerberos
 KERBEROS_ENABLED=true
diff --git a/dev-support/ranger-docker/docker-compose.ranger.yml b/dev-support/ranger-docker/docker-compose.ranger.yml
@@ -78,6 +78,13 @@ services:
     image: ranger-zk
     container_name: ranger-zk
     hostname: ranger-zk.rangernw
+    volumes:
+      - ./dist/keytabs/ranger-zk:/etc/keytabs
+      - ./scripts/wait_for_keytab.sh:/etc/wait_for_keytab.sh
+      - ./scripts/kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./scripts/zk/jaas.conf:/etc/zookeeper/jaas.conf
+      - ./scripts/zk/zookeeper-with-kerberos.sh:/zookeeper-with-kerberos.sh:ro
+    entrypoint: [ "/bin/bash", "/zookeeper-with-kerberos.sh" ]
     networks:
       - ranger
     ports:
diff --git a/dev-support/ranger-docker/scripts/kdc/entrypoint.sh b/dev-support/ranger-docker/scripts/kdc/entrypoint.sh
@@ -100,6 +100,8 @@ function create_keytabs() {
   create_principal_and_keytab knox ranger-knox
 
   create_principal_and_keytab HTTP ranger-solr
+
+  create_principal_and_keytab zookeeper ranger-zk
 }
 
 function create_testusers() {
diff --git a/dev-support/ranger-docker/scripts/zk/jaas.conf b/dev-support/ranger-docker/scripts/zk/jaas.conf
@@ -0,0 +1,8 @@
+Server {
+  com.sun.security.auth.module.Krb5LoginModule required
+  useKeyTab=true
+  keyTab="/etc/keytabs/zookeeper.keytab"
+  storeKey=true
+  useTicketCache=false
+  principal="zookeeper/ranger-zk.rangernw@EXAMPLE.COM";
+};
diff --git a/dev-support/ranger-docker/scripts/zk/zookeeper-with-kerberos.sh b/dev-support/ranger-docker/scripts/zk/zookeeper-with-kerberos.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+if [ "${KERBEROS_ENABLED}" = "true" ]; then
+  /etc/wait_for_keytab.sh zookeeper.keytab
+
+  export ZOO_CFG_EXTRA="authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider requireClientAuthScheme=sasl"
+  export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/jaas.conf -Dzookeeper.sasl.client=false ${SERVER_JVMFLAGS}"
+fi
+
+/docker-entrypoint.sh zkServer.sh start-foreground

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,8 @@ function create_keytabs() {`
`100`	`100`	`create_principal_and_keytab knox ranger-knox`
`101`	`101`
`102`	`102`	`create_principal_and_keytab HTTP ranger-solr`
	`103`	`+`
	`104`	`+ create_principal_and_keytab zookeeper ranger-zk`
`103`	`105`	`}`
`104`	`106`
`105`	`107`	`function create_testusers() {`