Cloudera Docs

User authorization configuration for Oozie

Learn about user authorization model for Oozie and Access Control List (ACL). Also, learn about how to define admin users for Oozie jobs and ACL.

Oozie has a basic authorization model which is as follows:
  • Users have read access to all jobs
  • Users have write access to their own jobs
  • Users have write access to jobs based on an ACL, which is a list of users and groups
  • Users have read access to admin operations
  • Admin users have write access to all jobs
  • Admin users have write access to admin operations

If security is disabled all users are admin users.

Oozie security is set through the following configuration property, which is false by default:
oozie.service.AuthorizationService.security.enabled=false

Defining admin users

Admin users are determined from the list of admin groups, specified in the oozie.service.AuthorizationService.admin.groups property. Use commas to separate multiple groups. Spaces, tabs, and ENTER characters are trimmed.

If the above property for admin groups is not set, then you can define the admin users in the following manner. The list of admin users can be in the conf/adminusers.txt file. The syntax of this file is as follows:
  • One user name per line
  • Empty lines and lines starting with # are ignored

Admin users can also be defined in the oozie.serviceAuthorizationService.admin.users property. Use commas to separate multiple admin users. Spaces, tabs, and ENTER characters are trimmed.

In case there are admin users defined using both methods, the effective list of admin users will be the union of the admin users found in the adminusers.txt file and those specified with the oozie.serviceAuthorizationService.admin.users property.

Defining access control lists

ACLs are defined in the following ways:
  • workflow job submission over CLI

    Configuration property group.name of job.properties.

  • workflow job submission over HTTP

    Configuration property group.name of the XML submitted over HTTP.

  • workflow job re-run

    Configuration property oozie.job.acl (preferred) or configuration property group.name of job.properties.

  • coordinator job submission over CLI

    Configuration property oozie.job.acl (preferred) or configuration property group.name of job.properties.

  • bundle job submission over CLI

    Configuration property oozie.job.acl (preferred) or configuration property group.name of job.properties.

For all other workflow, coordinator, or bundle actions, the ACL set in beforehand are used as basis.

Once the ACL for the job is defined, Oozie checks over HDFS whether the user trying to perform a specific action is part of the necessary group(s). For implementation details, check out org.apache.hadoop.security.Groups#getGroups(String user).

Note that it is enough that the submitting user be part of at least one group of the ACL. Note also that the ACL can contain user names as well. If there is an ACL defined and the submitting user is not part of any group or user name present in the ACL, an AuthorizationException is thrown.

Example: A typical ACL setup

Detail of job.properties on workflow job submission:
user.name=joe
group.name=marketing,admin,qa,root

HDFS group membership of HDFS user joe is qa. That is, the check to org.apache.hadoop.security.Groups#getGroups("joe") returns qa. Hence, ACL check passes inside AuthorizationService, because the user.name provided belongs to at least one of the ACL list elements provided as group.name.