Configuring Oozie HA with Kerberos
Important:
- If you use Cloudera Manager, do not use these command-line instructions. Use the Cloudera Manager Kerberos wizard instead, which automates the steps described in this section. If you have already enabled Kerberos, Cloudera Manager will automatically generate Kerberos credentials for the new Oozie server. It will also regenerate credentials for any existing servers.
- This information applies specifically to CDH 5.8.0. If you use a lower version of CDH, see the documentation for that version located at Cloudera Documentation.
In CDH 5, you can configure multiple active Oozie servers against the same database, providing high availability for Oozie. For instructions on setting up Oozie HA, see Oozie High Availability
Let's assume a setup with three hosts running Oozie servers: host1.example.com, host2.example.com, and host3.example.com. The Load Balancer which directs traffic to the Oozie servers is running on oozie.example.com. Perform the following steps to
configure Kerberos authentication on this Oozie HA-enabled deployment:
- Assuming your Kerberos realm is EXAMPLE.COM, create the following Kerberos principals:
- oozie/host1.example.com@EXAMPLE.COM
- oozie/host2.example.com@EXAMPLE.COM
- oozie/host3.example.com@EXAMPLE.COM
- HTTP/host1.example.com@EXAMPLE.COM
- HTTP/host2.example.com@EXAMPLE.COM
- HTTP/host3.example.com@EXAMPLE.COM
- For the Load Balancer: HTTP/oozie.example.com@EXAMPLE.COM
- On each host, create a keytab file with the corresponding oozie and HTTP principals from the list above. Each keytab file
should also have the Load Balancer's HTTP principal. For example, the keytab file on host1 would comprise:
- oozie/host1.example.com@EXAMPLE.COM
- HTTP/host1.example.com@EXAMPLE.COM
- HTTP/oozie.example.com@EXAMPLE.COM
- On each host, configure the following properties in oozie-site.xml:
<property> <name>oozie.authentication.kerberos.principal</name> <value>HTTP/<hostname>@$EXAMPLE.COM</value> <description> Indicates the Kerberos principal to be used for HTTP endpoint. The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification. </description> </property> <property> <name>oozie.authentication.kerberos.keytab</name> <value>${oozie.service.HadoopAccessorService.keytab.file}</value> <description> Location of the keytab file with the credentials for the principal. Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop. </description> </property>
Page generated July 8, 2016.
<< Configuring Kerberos Authentication for the Oozie Server | ©2016 Cloudera, Inc. All rights reserved | Solr Authentication >> |
Terms and Conditions Privacy Policy |