Repository: oozie Updated Branches: refs/heads/master 993a8e542 -> 476ec57bd
OOZIE-1688 New configuration to specify server-server authentication type Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/476ec57b Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/476ec57b Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/476ec57b Branch: refs/heads/master Commit: 476ec57bd3a322217d3f2e6eb03ab84a42566ef2 Parents: 993a8e5 Author: Purshotam Shah <[email protected]> Authored: Tue Feb 10 17:48:24 2015 -0800 Committer: Purshotam Shah <[email protected]> Committed: Tue Feb 10 17:48:24 2015 -0800 ---------------------------------------------------------------------- .../main/java/org/apache/oozie/util/AuthUrlClient.java | 10 +++++++++- core/src/main/resources/oozie-default.xml | 8 ++++++++ docs/src/site/twiki/AG_Install.twiki | 13 +++++++++++-- release-log.txt | 1 + 4 files changed, 29 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java b/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java index 7de18f7..5de8471 100644 --- a/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java +++ b/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java @@ -34,10 +34,15 @@ import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.Authenticator; import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; import org.apache.hadoop.security.authentication.client.PseudoAuthenticator; +import org.apache.oozie.service.ConfigurationService; import org.apache.oozie.service.Services; public class AuthUrlClient { + public static final String SERVER_SERVER_AUTH_TYPE = "oozie.server.authentication.type"; + + private static XLog LOG = XLog.getLog(AuthUrlClient.class); + static private Class<? extends Authenticator> AuthenticatorClass = null; static private String errorMsg = null; @@ -78,7 +83,10 @@ public class AuthUrlClient { // Adapted from // org.apache.hadoop.security.authentication.server.AuthenticationFilter#init Class<? extends Authenticator> authClass; - String authName = Services.get().getConf().get("oozie.authentication.type"); + String authName = ConfigurationService.get(SERVER_SERVER_AUTH_TYPE); + + LOG.info("Oozie server-server authentication is " + authName); + String authClassName; if (authName == null) { throw new IOException("Authentication type must be specified: simple|kerberos|<class>"); http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/core/src/main/resources/oozie-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml index 207a912..6f76b07 100644 --- a/core/src/main/resources/oozie-default.xml +++ b/core/src/main/resources/oozie-default.xml @@ -1970,6 +1970,14 @@ Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME# </description> </property> + <property> + <name>oozie.server.authentication.type</name> + <value>${oozie.authentication.type}</value> + <description> + Defines authentication used for Oozie server communicating to other Oozie server over HTTP(s). + Supported values are: simple | kerberos | #AUTHENTICATOR_CLASSNAME# + </description> + </property> <property> <name>oozie.authentication.token.validity</name> http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/docs/src/site/twiki/AG_Install.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki index 7936fc5..2e478ec 100644 --- a/docs/src/site/twiki/AG_Install.twiki +++ b/docs/src/site/twiki/AG_Install.twiki @@ -867,8 +867,17 @@ be missing information until that server comes back up. ---++++ Security -Oozie HA works with the existing Oozie security framework and settings. -See the [[AG_Install#Oozie_User_Authentication_Configuration][Oozie User Authentication Configuration]] section for details. +Oozie HA works with the existing Oozie security framework and settings. For HA features (log streaming, share lib, etc) to work +properly in a secure setup, following property can be set on each server. If =oozie.server.authentication.type= is not set, then +server-server authentication will fall back on =oozie.authentication.type=. + +<verbatim> +<property> + <name>oozie.server.authentication.type</name> + <value>kerberos</value> +</property> +</verbatim> + Below are some additional steps and information specific to Oozie HA: 1. (Optional) To prevent unauthorized users or programs from interacting with or reading the znodes used by Oozie in ZooKeeper, http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 2cec842..42bceeb 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 4.2.0 release (trunk - unreleased) +OOZIE-1688 New configuration to specify server-server authentication type (puru) OOZIE-2090 wf:lastErrorNode does not take into account transient errors with retries (ranter) OOZIE-2133 Support getting ATS delegation tokens for tez jobs (rohini) OOZIE-2131 Add flag to sqoop action to skip hbase delegation token generation (abec via ranter)
