ZooKeeper ACLs Best Practices: Oozie
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Oozie when provisioning a secure cluster.
- ZooKeeper Usage:
-
Used to coordinate multiple Oozie servers.
-
Default ACLs:
In a secure cluster, Oozie restricts the access to Oozie Znodes to the oozie principals only using Kerberos backed ACLs.-
/oozie
- node that stores oozie server information in HA mode
-
/oozie
-world:anyone:cdrwa
ACLs:/zkdtsm-oozie
- node used for handling Oozie delegation tokens when the callback URL authentication is enabled/zkdtsm-oozie
-world:anyone:cdrwa
-
- Security Best Practice ACLs/Permissions and Required Steps:
- If security is enabled in ZooKeeper, then Oozie connects to ZooKeeper using Kerberos, by default.