Configuring Oozie on a Secure Cluster
The default configuration for Oozie on a secure MapR cluster uses MapR tickets to authenticate between the Oozie client and server. The Oozie server uses MapR tickets to authenticate the connection between the JobTracker and the JobClient embedded in the Oozie server. This default configuration is in place once Oozie is installed and the security features for your cluster are enabled. See Enabling and Disabling Security. No further configuration is required. See User Impersonation for Oozie to enable user impersonation for Oozie.
The sections below provide instructions for various Oozie configurations on a secure MapR cluster:
Configuring Oozie to use SSL
Oozie traffic that uses HTTP is not encrypted by default. To enable Secure Sockets Layer (SSL) encryption for Oozie, follow these steps:
- Shut down Oozie.
- As the
mapr
user, run the following command:# /opt/mapr/oozie/oozie-<version>/bin/oozie-setup.sh -hadoop <version> /opt/mapr/hadoop/hadoop-<version> -secure
- Restart Oozie. After the restart, Oozie listens on port 11443 instead of 11000.
Change the value of the
OOZIE_URL
environment variable by running the following command:$ export OOZIE_URL="https://<fqdn>:11443/oozie"
WARNING:Using
localhost
instead of the Oozie server's fully qualified domain name may generate SSL handshake exceptions.
Using Kerberos to Securely Authenticate Between the Oozie Client and Server
Oozie can
use Kerberos to secure authentication between the Oozie client and
server. The Oozie server uses the Kerberos principal and keytab
information specified in the Java Authentication and Authorization
(JAAS) configuration file at
/opt/mapr/conf/mapr.login.conf
. Generate a Kerberos
principal of the form
http/
<fqdn>@<realm>
and store
the keytab in the cluster’s keytab file. The default keytab file
location is /opt/mapr/conf/mapr.keytab
.
To use Kerberos authentication on a specific invocation of Oozie
without modifying your client, use the -auth
KERBEROS
option when you start Oozie, as in the following
example:
$ bin/oozie admin -status -auth KERBEROS
Disabling Cached Tokens
By default, Oozie secured with Kerberos uses the keytab information in
/opt/mapr/conf/mapr.keytab
to authenticate inbound SPNEGO traffic. You can use custom Kerberos principals and keytab files if
you wish. To specify the locations of these custom Kerberos principals and keytab files,
make the following modifications to the oozie-site.xml
file:
-
Explicitly change the authentication type to Kerberos.
<property> <name>oozie.authentication.type</name> <value>kerberos</value> <description> Defines authentication used for Oozie HTTP endpoint. Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME# </description> </property>
-
Modify the following entries to use your custom principals and keytab. The principal takes the form
HTTP/<hostname>
, where hostname is the URL used by the client to connect to the server.<property> <name>oozie.authentication.kerberos.principal</name> <value>HTTP/<hostname>@${local.realm}</value> <description> Indicates the Kerberos principal to be used for HTTP endpoint. The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification. </description> </property> <property> <name>oozie.authentication.kerberos.keytab</name> <value>${oozie.service.HadoopAccessorService.keytab.file}</value> <description> Location of the keytab file with the credentials for the principal. Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop. </description> </property>
After a client authenticates to Oozie, the authentication token received by the client
is cached in the user’s home directory in the .oozie-auth-token
file.
As long as the cached token remains valid, future authentication requests from the same
client use that token and succeed, even if the client’s Kerberos or MapR credentials
have expired or have been revoked. You can disable use of the cache file by using the
oozie
command-line interface with the
-Doozie.auth.token.cache=false
option.