That¹s right. On 4/9/14, 7:03 PM, "bowen zhang" <[email protected]> wrote:
>Do you need to add "cred" into action in workflow.xml? Like, instead of >having "<action name="pig-node">", you need "<action name="pig-node" >cred="hcatauth">" >bowen > > >On Wednesday, April 9, 2014 6:13 PM, Mona Chitnis <[email protected]> >wrote: > >Hello Bowen, > >1) In the oozie action, you would need to add <credentials> tag with the >following properties and specify type hcat. Then the HCatCredentialHelper >class would be invoked for accessing tables through HCatalog. > ><credential name='hcatauth' type='hcat'> > <property> > <name>hcat.metastore.uri</name> > <value>${HCAT_URI}</value> > </property> > <property> > <name>hcat.metastore.principal</name> > <value>${HCAT_PRINCIPAL}</value> > </property> ></credential> > >2) For the messaging medium between Oozie and HCatalog (if you are >utilizing notifications), you¹d need to setup separate authentication >mechanisms for Oozie and HCatalog to authenticate with the message broker >and for Oozie workflows to be able to consume messages meant only for >that user. In Yahoo, we use an internal Certificate Authority based >mechanism. I haven¹t tried to setup secure Oozie with something like >secure ActiveMQ yet. > >3) hive-site.xml is included in Oozie classpath. This has the >security-oriented properties enabled >E.g. > ><property> > > <name>hive.security.authorization.enabled</name> > > <value>true</value> > > <description>Perform authorization checks on the client</description> > ></property> > >If I¹ve missed out something, other dev¹s please comment. > >‹ >Mona > > >On 4/9/14, 5:50 PM, "bowen zhang" ><[email protected]<mailto:[email protected]>> wrote: > >Hi all, >I am wondering whether we have docs for oozie-hcat integration in secure >mode. Because I assume we should need more configs for secure mode. Can >anyone from yahoo comment on this? > >Bowen
