MapR 5.0 Documentation : Configuring Oozie on a Secure Cluster

This page contains the following topics about configuring Oozie on a secure cluster:

Default Configuration

The default configuration for Oozie on a secure MapR cluster uses MapR tickets to authenticate between the Oozie client and server. The Oozie server uses MapR tickets to authenticate the connection between the JobTracker and the JobClient embedded in the Oozie server. This default configuration is in place once Oozie is installed and the security features for your cluster are enabled. No further configuration is required. See the main Oozie documentation for details on how to enable user impersonation for Oozie.

Configuring Oozie to use SSL

Oozie traffic that uses HTTP is not encrypted by default. To enable Secure Sockets Layer (SSL) encryption for Oozie, follow these steps:

  1. Shut down Oozie.
  2. As the mapr user, run the following command:
    # /opt/mapr/oozie/oozie-<version>/bin/ -hadoop <version> /opt/mapr/hadoop/hadoop-<version> -secure

  3. Restart Oozie. After the restart, Oozie listens on port 11443 instead of 11000. Change the value of the OOZIE_URL environment variable by running the following command:
    $ export OOZIE_URL="https://<fqdn>:11443/oozie"

    Using localhost instead of the Oozie server's fully qualified domain name may generate SSL handshake exceptions.

Using Kerberos to Securely Authenticate Between the Oozie Client and Server

Oozie can use Kerberos to secure authentication between the Oozie client and server. The Oozie server uses the Kerberos principal and keytab information specified in the Java Authentication and Authorization (JAAS) configuration file at /opt/mapr/conf/mapr.login.conf. Generate a Kerberos principal of the form http/<fqdn>@<realm> and store the keytab in the cluster’s keytab file. The default keytab file location is /opt/mapr/conf/mapr.keytab.

Setting Kerberos as the Default Oozie Client Authentication

To use Kerberos authentication on a specific invocation of Oozie without modifying your client, use the -auth KERBEROS option when you start Oozie, as in the following example:

$ bin/oozie admin -status -auth KERBEROS

Locate and comment out the following section in bin/oozie to set the Oozie client's default authentication to Kerberos:

if [ "$MAPR_SECURITY_STATUS" = "true" ]; then

Defining a Custom Principal and keytab File

By default, Oozie secured with Kerberos uses the keytab information in /opt/mapr/conf/mapr.keytab to authenticate inbound SPNEGO traffic. You can use custom Kerberos principals and keytab files if you wish. To specify the locations of these custom Kerberos principals and keytab files, make the following modifications to the oozie-site.xml file:

  • Explicitly change the authentication type to Kerberos.

                Defines authentication used for Oozie HTTP endpoint.
                Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#
  • Modify the following entries to use your custom principals and keytab. The principal takes the form HTTP/<hostname>, where hostname is the URL used by the client to connect to the server.

                Indicates the Kerberos principal to be used for HTTP endpoint.
                The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.
                Location of the keytab file with the credentials for the principal.
                Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop.

Disabling Cached Tokens

After a client authenticates to Oozie, the authentication token received by the client is cached in the user’s home directory in the .oozie-auth-token file. As long as the cached token remains valid, future authentication requests from the same client use that token and succeed, even if the client’s Kerberos or MapR credentials have expired or have been revoked. You can disable use of the cache file by using the oozie command-line interface with the -Doozie.auth.token.cache=false option.