Configuring Oozie on a Secure Cluster
The default configuration for Oozie on a secure MapR cluster uses MapR tickets to authenticate between the Oozie client and server. The Oozie server uses MapR tickets to authenticate the connection between the YARN components and the JobClient embedded in the Oozie server. Starting in the MEP 4.0 release, for secure clusters, Oozie is also configured to use SSL encryption. This default configuration is in place once Oozie is installed and the security features for your cluster are enabled. See Enabling and Disabling Security. No further configuration is required. See User Impersonation for Oozie to enable user impersonation for Oozie.
The sections below provide instructions to manually configure Oozie features on a secure MapR cluster:
Configuring the Oozie Server to use SSL
Oozie traffic that uses HTTP is not encrypted by default for non-secure clusters and clusters earlier than MEP 4.0. To enable Secure Sockets Layer (SSL) encryption for Oozie, follow these steps:
- Shut down Oozie.
- For Oozie 4.3, specify the path to the keystore and password at
/opt/mapr/oozie/oozie-<version>/conf/oozie-env.sh:
Copy theexport OOZIE_HTTPS_KEYSTORE_PASS=password export OOZIE_HTTPS_KEYSTORE_FILE=${HOME}/.keystoressl_keystorefrom the web server node if it does not exist on the current node and use following settings:export OOZIE_HTTPS_KEYSTORE_PASS=mapr123 export OOZIE_HTTPS_KEYSTORE_FILE="/opt/mapr/conf/ssl_keystore" - As the
cluster admin, run the following command:# /opt/mapr/oozie/oozie-<version>/bin/oozie-setup.sh -hadoop <version> /opt/mapr/hadoop/hadoop-<version> -secure - Restart Oozie. After the restart, Oozie listens on port 11443 instead of 11000.
Change the value of the
OOZIE_URLenvironment variable by running the following command:$ export OOZIE_URL="https://<fqdn>:11443/oozie"WARNING: Usinglocalhostinstead of the Oozie server's fully qualified domain name may generate SSL handshake exceptions.
Configuring Oozie Clients to Use SSL (Oozie 4.2.0)
To configure the Oozie clients, follow these steps:
- Export the certificate from the Oozie server
node:
sudo -u mapr keytool -exportcert -alias <alias> -file /opt/mapr/conf/certificate.cert -keystore /opt/mapr/conf/ssl_keystore - Copy
/opt/mapr/conf/certificate.certto all Oozie client nodes. - On the Oozie client nodes, import the
certificate:
sudo keytool -importcert -alias my.cluster.com -file /opt/mapr/conf/certificate.cert -keystore ${JRE_cacerts}
Configuring Oozie Clients to Use SSL (Oozie 4.3.0)
To configure the Oozie clients, follow this step:
- Specify the path to the keystore and password at
/opt/mapr/oozie/oozie-<version>/conf/oozie-client-env.sh:export OOZIE_CLIENT_OPTS='- Djavax.net.ssl.trustStore=/path/to/oozie.truststore'
Using Kerberos to Securely Authenticate Between the Oozie Client and Server
Oozie can
use Kerberos to secure authentication between the Oozie client and
server. The Oozie server uses the Kerberos principal and keytab
information specified in the Java Authentication and Authorization
(JAAS) configuration file at
/opt/mapr/conf/mapr.login.conf. Generate a Kerberos
principal of the form
http/
<fqdn>@<realm>
and store
the keytab in the cluster’s keytab file. The default keytab file
location is /opt/mapr/conf/mapr.keytab.
To use Kerberos authentication on a specific invocation of Oozie
without modifying your client, use the -auth
KERBEROS option when you start Oozie, as in the following
example:
$ bin/oozie admin -status -auth KERBEROSDefining a Custom Principal and Keytab File
You can use custom Kerberos principals and keytab files if you wish. To specify the
locations of these custom Kerberos principals and keytab files, make the following
modifications to the oozie-site.xml file:
-
Explicitly change the authentication type to Kerberos.
<property> <name>oozie.authentication.type</name> <value>kerberos</value> <description> Defines authentication used for Oozie HTTP endpoint. Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME# </description> </property> -
Modify the following entries to use your custom principals and keytab. The principal takes the form
HTTP/<hostname>, where hostname is the URL used by the client to connect to the server.<property> <name>oozie.service.HadoopAccessorService.keytab.file</name> <value>/opt/mapr/conf/mapr.keytab</value> <description> Location of the Oozie user keytab file. </description> </property> <property> <name>local.realm</name> <value>{local.realm}</value> <description> Kerberos Realm used by Oozie and Hadoop. Using 'local.realm' aligns with Hadoop configuration </description> </property> <property> <name>oozie.service.HadoopAccessorService.kerberos.principal</name> <value>mapr/<hostname>@${local.realm}</value> <description> Kerberos principal for Oozie service. </description> </property> <property> <name>oozie.authentication.kerberos.principal</name> <value>HTTP/<hostname>@${local.realm}</value> <description> Indicates the Kerberos principal to be used for the HTTP endpoint. The principal MUST start with 'HTTP/' per the Kerberos HTTP SPNEGO specification. </description> </property> - Optional: If you plan to run Oozie actions that require talking to external
services, add the
oozie.credentials.credentialclassestooozie-site.xml. For more details, see the Oozie documentation .<property> <name>oozie.credentials.credentialclasses</name> <value> hcat=org.apache.oozie.action.hadoop.HCatCredentials, hbase=org.apache.oozie.action.hadoop.HbaseCredentials, hive2=org.apache.oozie.action.hadoop.Hive2Credentials </value> </property>
Disabling Cached Tokens
After a client authenticates to Oozie, the authentication token received by the client
is cached in the user’s home directory in the .oozie-auth-token file.
As long as the cached token remains valid, future authentication requests from the same
client use that token and succeed, even if the client’s Kerberos or MapR credentials
have expired or have been revoked. You can disable use of the cache file by using the
oozie command-line interface with the
-Doozie.auth.token.cache false option.