This is the documentation for CDH 4.6.0.
Documentation for other versions is available at Cloudera Documentation.

Configuring the Oozie Server to Support Kerberos Security

  1. Create a Oozie service user principal using the syntax: oozie/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate with the Hadoop cluster. where: fully.qualified.domain.name is the host where the Oozie server is running YOUR-REALM is the name of your Kerberos realm.
    kadmin: addprinc -randkey oozie/fully.qualified.domain.name@YOUR-REALM.COM
  2. Create a HTTP service user principal using the syntax: HTTP/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate user requests coming to the Oozie web-services. where: fully.qualified.domain.name is the host where the Oozie server is running YOUR-REALM is the name of your Kerberos realm.
    kadmin: addprinc -randkey HTTP/fully.qualified.domain.name@YOUR-REALM.COM
      Important:

    The HTTP/ component of the HTTP service user principal must be upper case as shown in the syntax and example above.

  3. Create keytab files with both principals.
    $ kadmin
    kadmin: xst -k oozie.keytab oozie/fully.qualified.domain.name
    kadmin: xst -k http.keytab HTTP/fully.qualified.domain.name
  4. Merge the two keytab files into a single keytab file:
    $ ktutil
    ktutil: rkt oozie.keytab
    ktutil: rkt http.keytab
    ktutil: wkt oozie-http.keytab
  5. Test that credentials in the merged keytab file work. For example:
    $ klist -e -k -t oozie-http.keytab
  6. Copy the oozie-http.keytab file to the Oozie configuration directory. The owner of the oozie-http.keytab file should be the oozie user and the file should have owner-only read permissions.
  7. Edit the Oozie server oozie-site.xml configuration file in the Oozie configuration directory by setting the following properties:
      Important: You must restart the Oozie server to have the configuration changes take effect.
    Property Value

    oozie.service.HadoopAccessorService.kerberos.enabled

    true

    local.realm

    <REALM>

    oozie.service.HadoopAccessorService.keytab.file

    /etc/oozie/conf/oozie-http.keytab for a package installation, or <EXPANDED_DIR>/conf/oozie-http.keytab for a tarball installation

    oozie.service.HadoopAccessorService.kerberos.principal

    oozie/<fully.qualified.domain.name>@<YOUR-REALM.COM>

    oozie.authentication.type

    kerberos

    oozie.authentication.kerberos.principal

    HTTP/<fully.qualified.domain.name>@<YOUR-REALM.COM>

    oozie.authentication.kerberos.name.rules

    Use the value configured for hadoop.security.auth_to_local in core-site.xml