Cloudera Docs

ZooKeeper ACLs Best Practices: Oozie

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Oozie when provisioning a secure cluster.

  • ZooKeeper Usage:

    • Used to coordinate multiple Oozie servers.

  • Default ACLs:

    In a secure cluster, Oozie restricts the access to Oozie Znodes to the oozie principals only using Kerberos backed ACLs.

    • /oozie - node that stores oozie server information in HA mode

    Default ACLs:

    • /oozie - world:anyone:cdrwa

    • /zkdtsm-oozie - node used for handling Oozie delegation tokens when the callback URL authentication is enabled

      ACLs:

      /zkdtsm-oozie - world:anyone:cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:
    • If security is enabled in ZooKeeper, then Oozie connects to ZooKeeper using Kerberos, by default.

Limitations

In Cloudera Base on premises 7.3.2 and lower versions, an Oozie-Curator integration bug causes Oozie to create the /services node without an Access Control List (ACL). Although Oozie does not use this node, the missing ACL triggers validation alerts in the system. To resolve this issue, you must manually apply the ACL using the following command:
setAcl /services sasl:oozie:cdrwa