2.2.5. Configure secure Oozie

Edit the oozie-site.xml file, to add the following information:

<property>
    <name>oozie.service.AuthorizationService.security.enabled</name>
    <value>true</value>
    <description>Specifies whether security (user name/admin role) is enabled or not. 
           If it is disabled any user can manage the Oozie system and manage any job.</description>
</property>
<property>
    <name>oozie.service.HadoopAccessorService.kerberos.enabled</name>
    <value>true</value>
    <description>Indicates if Oozie is configured to use Kerberos</description>
</property>
<property>
    <name>local.realm </name>
    <value>EXAMPLE.COM </value>
    <description>Kerberos Realm used by Oozie and Hadoop. Using 'local.realm' to be 
           aligned with Hadoop configuration</description>
</property>
<property>
    <name>oozie.service.HadoopAccessorService.keytab.file </name>
    <value>/etc/security/keytabs/oozie.service.keytab</value>
    <description>The keytab for the Oozie service principal.</description>
</property>
<property>
    <name>oozie.service.HadoopAccessorService.kerberos.principal</name>
    <value>$OOZIE_PRINCIPAL/_HOSTl@EXAMPLE.COM </value>
    <description>Kerberos principal for Oozie service</description>
</property>
<property>
    <name>oozie.authentication.type</name>
    <value>kerberos</value>
    <description>Authentication type</description>
</property>
<property>
    <name>oozie.authentication.kerberos.principal</name>
    <value>$HTTP_USER/_HOST@EXAMPLE.COM</value>
    <description>Whitelisted job tracker for Oozie service</description>
</property>
<property>
    <name> oozie.authentication.kerberos.keytab</name>
    <value>/etc/security/keytabs/spnego.service.keytab</value>
    <description>Location of the Oozie user keytab file.</description>
</property>
<property>
    <name>oozie.service.HadoopAccessorService.nameNode.whitelist</name>
    <value/>
    <description/>
</property>
<property>
    <name>oozie.authentication.kerberos.name.rules</name>
    <value><value>        
        RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/        
        RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/        
        RULE:[2:$1@$0](hbase@.*EXAMPLE.COM)s/.*/$HBASE_USER/        
        RULE:[2:$1@$0](hbase@.*EXAMPLE.COM)s/.*/$HBASE_USER/        
        DEFAULT</value> 
    <description>The mapping from Kerberos principal names to local service user names. 
                     </description>
</property>               

For mapping from Kerberos principal names to local OS user names, see Creating Mappings Between Principals and UNIX Usernames.


loading table of contents...