Security Reference
Also available as:
PDF
loading table of contents...

oozie-site.xml

Reference material for adding security information to the oozie-site.xml configuration file when setting up Kerberos for non-Ambari clusters.

To the oozie-site.xml file, add the following information:

Table 1. oozie-site.xml Property Settings

Property Name

Property Value

Description

oozie.service.AuthorizationService. security.enabled

true

Specifies whether security (user name/admin role) is enabled or not. If it is disabled any user can manage the Oozie system and manage any job.

oozie.service.HadoopAccessorService. kerberos.enabled

true

Indicates if Oozie is configured to use Kerberos.

local.realm

EXAMPLE.COM

Kerberos Realm used by Oozie and Hadoop. Using local.realm to be aligned with Hadoop configuration.

oozie.service.HadoopAccessorService. keytab.file

/etc/security/keytabs/oozie.service.keytab

The keytab for the Oozie service principal.

oozie.service.HadoopAccessorService. kerberos.principaloozie/ _HOSTl@EXAMPLE.COM

oozie/_HOSTl@EXAMPLE.COM

Kerberos principal for Oozie service.

oozie.authentication.type

kerberos

oozie.authentication.kerberos. principal

HTTP/_HOST@EXAMPLE.COM

Whitelisted job tracker for Oozie service.

oozie.authentication.kerberos.keytab

/etc/security/keytabs/spnego.service.keytab

Location of the Oozie user keytab file.

oozie.service.HadoopAccessorService. nameNode.whitelist

oozie.authentication.kerberos. name.rules

RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT

The mapping from Kerberos principal names to local OS user names. “Create Mappings Between Principals and UNIX Usernames” for more information.

oozie.service.ProxyUserService. proxyuser.knox.groups

users

Grant proxy privileges to the Knox user. Note only required when using a Knox Gateway.

oozie.service.ProxyUserService. proxyuser.knox.hosts

$knox_host_FQDN

Identifies the Knox Gateway. Note only required when using a Knox Gateway.