This page contains the following topics about configuring Oozie on a secure cluster:
The default configuration for Oozie on a secure MapR cluster uses MapR tickets to authenticate between the Oozie client and server. The Oozie server uses MapR tickets to authenticate the connection between the JobTracker and the JobClient embedded in the Oozie server. This default configuration is in place once Oozie is installed and the security features for your cluster are enabled. No further configuration is required. See the main Oozie documentation for details on how to enable user impersonation for Oozie.
Configuring Oozie to use SSL
Oozie traffic that uses HTTP is not encrypted by default. To enable Secure Sockets Layer (SSL) encryption for Oozie, follow these steps:
- Shut down Oozie.
mapruser, run the following command:
# /opt/mapr/oozie/oozie-<version>/bin/oozie-setup.sh -hadoop <version> /opt/mapr/hadoop/hadoop-<version> -secure
Restart Oozie. After the restart, Oozie listens on port 11443 instead of 11000. Change the value of the
OOZIE_URLenvironment variable by running the following command:
$ export OOZIE_URL="https://<fqdn>:11443/oozie"
localhostinstead of the Oozie server's fully qualified domain name may generate SSL handshake exceptions.
Using Kerberos to Securely Authenticate Between the Oozie Client and Server
Oozie can use Kerberos to secure authentication between the Oozie client and server. The Oozie server uses the Kerberos principal and keytab information specified in the Java Authentication and Authorization (JAAS) configuration file at
/opt/mapr/conf/mapr.login.conf. Generate a Kerberos principal of the form
<fqdn>@<realm> and store the keytab in the cluster’s keytab file. The default keytab file location is
Setting Kerberos as the Default Oozie Client Authentication
To use Kerberos authentication on a specific invocation of Oozie without modifying your client, use the
-auth KERBEROS option when you start Oozie, as in the following example:
Locate and comment out the following section in
bin/oozie to set the Oozie client's default authentication to Kerberos:
Defining a Custom Principal and keytab File
By default, Oozie secured with Kerberos uses the keytab information in
/opt/mapr/conf/mapr.keytab to authenticate inbound SPNEGO traffic. You can use custom Kerberos principals and keytab files if you wish. To specify the locations of these custom Kerberos principals and keytab files, make the following modifications to the
Explicitly change the authentication type to Kerberos.
Modify the following entries to use your custom principals and keytab. The principal takes the form
HTTP/<hostname>, where hostname is the URL used by the client to connect to the server.
Disabling Cached Tokens
After a client authenticates to Oozie, the authentication token received by the client is cached in the user’s home directory in the
.oozie-auth-token file. As long as the cached token remains valid, future authentication requests from the same client use that token and succeed, even if the client’s Kerberos or MapR credentials have expired or have been revoked. You can disable use of the cache file by using the
oozie command-line interface with the