Configuring Oozie on a Secure Cluster

The default configuration for Oozie on a secure MapR cluster uses MapR tickets to authenticate between the Oozie client and server. The Oozie server uses MapR tickets to authenticate the connection between the JobTracker and the JobClient embedded in the Oozie server. This default configuration is in place once Oozie is installed and the security features for your cluster are enabled. See Enabling and Disabling Security. No further configuration is required. See User Impersonation for Oozie to enable user impersonation for Oozie.

The sections below provide instructions for various Oozie configurations on a secure MapR cluster:

Configuring Oozie to use SSL

Oozie traffic that uses HTTP is not encrypted by default. To enable Secure Sockets Layer (SSL) encryption for Oozie, follow these steps:

  1. Shut down Oozie.
  2. As the mapr user, run the following command:
    # /opt/mapr/oozie/oozie-<version>/bin/oozie-setup.sh -hadoop <version> /opt/mapr/hadoop/hadoop-<version> -secure
  3. Restart Oozie. After the restart, Oozie listens on port 11443 instead of 11000. Change the value of the OOZIE_URL environment variable by running the following command:
    $ export OOZIE_URL="https://<fqdn>:11443/oozie"
    Warning:

    Using localhost instead of the Oozie server's fully qualified domain name may generate SSL handshake exceptions.

Using Kerberos to Securely Authenticate Between the Oozie Client and Server

Oozie can use Kerberos to secure authentication between the Oozie client and server. The Oozie server uses the Kerberos principal and keytab information specified in the Java Authentication and Authorization (JAAS) configuration file at /opt/mapr/conf/mapr.login.conf. Generate a Kerberos principal of the form http/ <fqdn>@<realm> and store the keytab in the cluster’s keytab file. The default keytab file location is /opt/mapr/conf/mapr.keytab.

To use Kerberos authentication on a specific invocation of Oozie without modifying your client, use the -auth KERBEROS option when you start Oozie, as in the following example:

$ bin/oozie admin -status -auth KERBEROS

Disabling Cached Tokens

By default, Oozie secured with Kerberos uses the keytab information in /opt/mapr/conf/mapr.keytab to authenticate inbound SPNEGO traffic. You can use custom Kerberos principals and keytab files if you wish. To specify the locations of these custom Kerberos principals and keytab files, make the following modifications to the oozie-site.xml file:

  • Explicitly change the authentication type to Kerberos.

        <property>
            <name>oozie.authentication.type</name>
            <value>kerberos</value>
            <description>
                Defines authentication used for Oozie HTTP endpoint.
                Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#
            </description>
        </property>
  • Modify the following entries to use your custom principals and keytab. The principal takes the form HTTP/<hostname>, where hostname is the URL used by the client to connect to the server.

    <property>
            <name>oozie.authentication.kerberos.principal</name>
            <value>HTTP/<hostname>@${local.realm}</value>
            <description>
                Indicates the Kerberos principal to be used for HTTP endpoint.
                The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.
            </description>
        </property>
    
        <property>
            <name>oozie.authentication.kerberos.keytab</name>
            <value>${oozie.service.HadoopAccessorService.keytab.file}</value>
            <description>
                Location of the keytab file with the credentials for the principal.
                Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop.
            </description>
        </property>

After a client authenticates to Oozie, the authentication token received by the client is cached in the user’s home directory in the .oozie-auth-token file. As long as the cached token remains valid, future authentication requests from the same client use that token and succeed, even if the client’s Kerberos or MapR credentials have expired or have been revoked. You can disable use of the cache file by using the oozie command-line interface with the -Doozie.auth.token.cache=false option.