Hello Bowen,
1) In the oozie action, you would need to add <credentials> tag with the
following properties and specify type hcat. Then the HCatCredentialHelper class
would be invoked for accessing tables through HCatalog.
<credential name='hcatauth' type='hcat'>
<property>
<name>hcat.metastore.uri</name>
<value>${HCAT_URI}</value>
</property>
<property>
<name>hcat.metastore.principal</name>
<value>${HCAT_PRINCIPAL}</value>
</property>
</credential>
2) For the messaging medium between Oozie and HCatalog (if you are utilizing
notifications), you’d need to setup separate authentication mechanisms for
Oozie and HCatalog to authenticate with the message broker and for Oozie
workflows to be able to consume messages meant only for that user. In Yahoo, we
use an internal Certificate Authority based mechanism. I haven’t tried to setup
secure Oozie with something like secure ActiveMQ yet.
3) hive-site.xml is included in Oozie classpath. This has the security-oriented
properties enabled
E.g.
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>Perform authorization checks on the client</description>
</property>
If I’ve missed out something, other dev’s please comment.
—
Mona
On 4/9/14, 5:50 PM, "bowen zhang"
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
I am wondering whether we have docs for oozie-hcat integration in secure mode.
Because I assume we should need more configs for secure mode. Can anyone from
yahoo comment on this?
Bowen
