This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.
Configuring Oozie HA with Kerberos
In CDH 5, you can configure multiple active Oozie servers against the same database, providing high availability for Oozie. For instructions on setting up Oozie HA, see About Oozie High Availability
Let's assume you have three hosts running Oozie servers, host1.example.com, host2.example.com, host3.example.com and the Load Balancer running on
oozie.example.com. The Load Balancer
directs traffic to the Oozie servers: host1, host2 and host3. For such a configuration,
assuming your Kerberos realm is EXAMPLE.COM,
create the following Kerberos principals:
- oozie/host1.example.com@EXAMPLE.COM
- oozie/host2.example.com@EXAMPLE.COM
- oozie/host3.example.com@EXAMPLE.COM
- HTTP/host1.example.com@EXAMPLE.COM
- HTTP/host2.example.com@EXAMPLE.COM
- HTTP/host3.example.com@EXAMPLE.COM
- HTTP/oozie.example.com@EXAMPLE.COM
On each of the hosts, host1, host2 and host3, create a keytab file with its corresponding oozie and HTTP principals from the list above. All keytab files should also have the load balancer's HTTP principal. Hence, each keytab file should have 3 principals in all.
Edit the following property in the Oozie server configuration file,
oozie-site.xml:
<property> <name>oozie.authentication.kerberos.principal</name> <value>*</value> </property>
| << Configuring the Oozie Server to Support Kerberos Security | Configuring Oozie to use SSL (HTTPS) >> | |