Do you need to add "cred" into action in workflow.xml? Like, instead of having "<action name="pig-node">", you need "<action name="pig-node" cred="hcatauth">" bowen
On Wednesday, April 9, 2014 6:13 PM, Mona Chitnis <[email protected]> wrote: Hello Bowen, 1) In the oozie action, you would need to add <credentials> tag with the following properties and specify type hcat. Then the HCatCredentialHelper class would be invoked for accessing tables through HCatalog. <credential name='hcatauth' type='hcat'> <property> <name>hcat.metastore.uri</name> <value>${HCAT_URI}</value> </property> <property> <name>hcat.metastore.principal</name> <value>${HCAT_PRINCIPAL}</value> </property> </credential> 2) For the messaging medium between Oozie and HCatalog (if you are utilizing notifications), you’d need to setup separate authentication mechanisms for Oozie and HCatalog to authenticate with the message broker and for Oozie workflows to be able to consume messages meant only for that user. In Yahoo, we use an internal Certificate Authority based mechanism. I haven’t tried to setup secure Oozie with something like secure ActiveMQ yet. 3) hive-site.xml is included in Oozie classpath. This has the security-oriented properties enabled E.g. <property> <name>hive.security.authorization.enabled</name> <value>true</value> <description>Perform authorization checks on the client</description> </property> If I’ve missed out something, other dev’s please comment. — Mona On 4/9/14, 5:50 PM, "bowen zhang" <[email protected]<mailto:[email protected]>> wrote: Hi all, I am wondering whether we have docs for oozie-hcat integration in secure mode. Because I assume we should need more configs for secure mode. Can anyone from yahoo comment on this? Bowen
