oozie-site.xml
Reference material for adding security information to the
oozie-site.xml
configuration file when setting up Kerberos for non-Ambari
clusters.
To the oozie-site.xml
file, add the following information:
Property Name |
Property Value |
Description |
---|---|---|
oozie.service.AuthorizationService. security.enabled |
true |
Specifies whether security (user name/admin role) is enabled or not. If it is disabled any user can manage the Oozie system and manage any job. |
oozie.service.HadoopAccessorService. kerberos.enabled |
true |
Indicates if Oozie is configured to use Kerberos. |
local.realm |
EXAMPLE.COM |
Kerberos Realm used by Oozie and Hadoop. Using local.realm to be aligned with Hadoop configuration. |
oozie.service.HadoopAccessorService. keytab.file |
/etc/security/keytabs/oozie.service.keytab |
The keytab for the Oozie service principal. |
oozie.service.HadoopAccessorService. kerberos.principaloozie/ _HOSTl@EXAMPLE.COM |
oozie/_HOSTl@EXAMPLE.COM |
Kerberos principal for Oozie service. |
oozie.authentication.type |
kerberos |
|
oozie.authentication.kerberos. principal |
HTTP/_HOST@EXAMPLE.COM |
Whitelisted job tracker for Oozie service. |
oozie.authentication.kerberos.keytab |
/etc/security/keytabs/spnego.service.keytab |
Location of the Oozie user keytab file. |
oozie.service.HadoopAccessorService. nameNode.whitelist |
||
oozie.authentication.kerberos. name.rules |
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT |
The mapping from Kerberos principal names to local OS user names. “Create Mappings Between Principals and UNIX Usernames” for more information. |
oozie.service.ProxyUserService. proxyuser.knox.groups |
users |
Grant proxy privileges to the Knox user. Note only required when using a Knox Gateway. |
oozie.service.ProxyUserService. proxyuser.knox.hosts |
$knox_host_FQDN |
Identifies the Knox Gateway. Note only required when using a Knox Gateway. |