ZooKeeper ACLs Best Practices: Oozie

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Oozie when provisioning a secure cluster.

  • ZooKeeper Usage:
    • Used to coordinate multiple Oozie servers.

  • Default ACLs:

    In a secure cluster, Oozie restricts the access to Oozie Znodes to the oozie principals only using Kerberos backed ACLs.
    • /oozie - node that stores oozie server information in HA mode

    Default ACLs:
    • /oozie - world:anyone:cdrwa

    • /zkdtsm-oozie - node used for handling Oozie delegation tokens when the callback URL authentication is enabled

      ACLs:

      /zkdtsm-oozie - world:anyone:cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:
    • If security is enabled in ZooKeeper, then Oozie connects to ZooKeeper using Kerberos, by default.