2.3.2. Configuring Secure Oozie

Use the following description to set up secure Oozie.

Using a text editor, edit the /etc/oozie/conf/oozie-site.xml file to add or modify the following information:

<property>
    <name>oozie.service.AuthorizationService.security.enabled</name>
    <value>true</value>
    <description>Specifies whether security (user name/admin role) is enabled or not. 
           If it is disabled any user can manage the Oozie system and manage any job.</description>
</property>

<property>
    <name>oozie.service.HadoopAccessorService.kerberos.enabled</name>
    <value>true</value>
    <description>Indicates if Oozie is configured to use Kerberos</description>
</property>

<property>
    <name>local.realm </name>
    <value>EXAMPLE.COM </value>
    <description>Kerberos Realm used by Oozie and Hadoop. Using 'local.realm' to be 
           aligned with Hadoop configuration</description>
</property>

<property>
    <name>oozie.service.HadoopAccessorService.keytab.file </name>
    <value>/etc/security/keytabs/oozie.service.keytab</value>
    <description>The keytab for the Oozie service principal.</description>
</property>

<property>
    <name>oozie.service.HadoopAccessorService.kerberos.principal</name>
    <value>oozie/host1234.example.com@EXAMPLE.COM </value>
    <description>Kerberos principal for Oozie service.  Must use the hostname of the Oozie Server.</description>
</property>

<property>
    <name>oozie.authentication.kerberos.principal</name>
    <value>HTTP/host1234.example.com@EXAMPLE.COM</value>
    <description>Must use the hostname of the Oozie Server.</description>
</property>

<property>
    <name> oozie.authentication.kerberos.keytab</name>
    <value>/etc/security/keytabs/spnego.service.keytab</value>
    <description>Location of the Oozie user keytab file.</description>
</property>

<property>
    <name>oozie.authentication.type</name>
    <value>kerberos</value>
    <description></description>
</property>

<property>
    <name>oozie.authentication.kerberos.name.rules</name>
    <value><value>        
        RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/ $MAPREDUCE_USER/        
        RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/ $HDFS_USER/        
        RULE:[2:$1@$0](hbase@.*EXAMPLE.COM)s/.*/ $HBASE_USER/        
        RULE:[2:$1@$0](hbase@.*EXAMPLE.COM)s/.*/ $HBASE_USER/        
        DEFAULT</value> 
    <description>The mapping from Kerberos principal names to local service user names. 
                     </description>
</property>               

For mapping from Kerberos principal names to local OS user names, see Creating Mappings Between Principals and UNIX Usernames.