The current handling of zookeeper.security.auth_to_local in KerberosName.java only supports rules given directly as property value.
These rules must therefore be given on the command line and:
- must be escaped properly to avoid shell expansion
- are visible in the ps output
It would be much better to put these rules in a file and pass the file path as the property value. We would then use something like -Dzookeeper.security.auth_to_local=file:/etc/zookeeper/rules.
Note that using the file: prefix allows keeping backward compatibility.