Thanks for putting up the patch. We have the credentialclasses property. We were seeing thrift errors with Oozie talking to HCat, I think for the coordinator. The workflow itself actually ran fine. The thrift errors were unfortunately not very descriptive...
Do you have any ideas what might cause that? On Wed, Apr 16, 2014 at 9:14 PM, Venkat Ranganathan < [email protected]> wrote: > Robert > > Sorry - got busy with release and I am going on a vacation :) Was > planning to upload it by Monday. I just uploaded the patch > > I think you are missing the step to update oozie site with the credential > classes for each credential type. > > <property> > <name>oozie.credentials.credentialclasses</name> > <value>hcat=org.apache.oozie.action.hadoop.HCatCredentials</value> > </property> > > The type=class format you use here is used as the credential type in the > credentials section in the workflow.xml > > We have validated this in secure encrypted clusters also (OOZIE-1593 was > created to fix the hcat credential provider to also include the rpc > protection level) > > Venkat > > > > On Wed, Apr 16, 2014 at 6:10 PM, Robert Kanter <[email protected]>wrote: > >> I took a look at the HDP version of the hcatalog example and I'm not sure >> how it will work with a secure cluster. Specifically, even though the >> workflow has <credentials>, the coordinator does not. Are there any extra >> steps or config (either in Oozie or HCat) that must be done to get >> authentication to work for the hcat URIs in the coordinator? >> >> thanks >> - Robert >> >> >> On Fri, Apr 11, 2014 at 2:27 AM, Mohammad Islam <[email protected]>wrote: >> >>> Venkat and Bowen, >>> Very good proposal! >>> Looking forward for the patch. >>> >>> Regard,s >>> Mohammad >>> On Thursday, April 10, 2014 8:01 PM, Venkat Ranganathan < >>> [email protected]> wrote: >>> >>> Bowen >>> >>> Look into the HDP 2.0 oozie hcatalog examples dir where we have the >>> changes needed to run the hcatalog sample in a secure cluster (we also >>> validated in the secure encrypted cluster). >>> >>> It would be good to contribute it to the oozie codebase. >>> >>> Venkat >>> >>> >>> On Thu, Apr 10, 2014 at 1:27 PM, Mona Chitnis <[email protected]> >>> wrote: >>> > That¹s right. >>> > >>> > On 4/9/14, 7:03 PM, "bowen zhang" <[email protected]> wrote: >>> > >>> >>Do you need to add "cred" into action in workflow.xml? Like, instead of >>> >>having "<action name="pig-node">", you need "<action name="pig-node" >>> >>cred="hcatauth">" >>> >>bowen >>> >> >>> >> >>> >>On Wednesday, April 9, 2014 6:13 PM, Mona Chitnis < >>> [email protected]> >>> >>wrote: >>> >> >>> >>Hello Bowen, >>> >> >>> >>1) In the oozie action, you would need to add <credentials> tag with >>> the >>> >>following properties and specify type hcat. Then the >>> HCatCredentialHelper >>> >>class would be invoked for accessing tables through HCatalog. >>> >> >>> >><credential name='hcatauth' type='hcat'> >>> >> <property> >>> >> <name>hcat.metastore.uri</name> >>> >> <value>${HCAT_URI}</value> >>> >> </property> >>> >> <property> >>> >> <name>hcat.metastore.principal</name> >>> >> <value>${HCAT_PRINCIPAL}</value> >>> >> </property> >>> >></credential> >>> >> >>> >>2) For the messaging medium between Oozie and HCatalog (if you are >>> >>utilizing notifications), you¹d need to setup separate authentication >>> >>mechanisms for Oozie and HCatalog to authenticate with the message >>> broker >>> >>and for Oozie workflows to be able to consume messages meant only for >>> >>that user. In Yahoo, we use an internal Certificate Authority based >>> >>mechanism. I haven¹t tried to setup secure Oozie with something like >>> >>secure ActiveMQ yet. >>> >> >>> >>3) hive-site.xml is included in Oozie classpath. This has the >>> >>security-oriented properties enabled >>> >>E.g. >>> >> >>> >><property> >>> >> >>> >> <name>hive.security.authorization.enabled</name> >>> >> >>> >> <value>true</value> >>> >> >>> >> <description>Perform authorization checks on the client</description> >>> >> >>> >></property> >>> >> >>> >>If I¹ve missed out something, other dev¹s please comment. >>> >> >>> >>‹ >>> >>Mona >>> >> >>> >> >>> >>On 4/9/14, 5:50 PM, "bowen zhang" >>> >><[email protected]<mailto:[email protected]>> wrote: >>> >> >>> >>Hi all, >>> >>I am wondering whether we have docs for oozie-hcat integration in >>> secure >>> >>mode. Because I assume we should need more configs for secure mode. Can >>> >>anyone from yahoo comment on this? >>> >> >>> >>Bowen >>> > >>> >>> -- >>> CONFIDENTIALITY NOTICE >>> NOTICE: This message is intended for the use of the individual or entity >>> to >>> which it is addressed and may contain information that is confidential, >>> privileged and exempt from disclosure under applicable law. If the reader >>> of this message is not the intended recipient, you are hereby notified >>> that >>> any printing, copying, dissemination, distribution, disclosure or >>> forwarding of this communication is strictly prohibited. If you have >>> received this communication in error, please contact the sender >>> immediately >>> and delete it from your system. Thank You. >>> >> >> > > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity > to which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are hereby notified that > any printing, copying, dissemination, distribution, disclosure or > forwarding of this communication is strictly prohibited. If you have > received this communication in error, please contact the sender immediately > and delete it from your system. Thank You. >
