You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by pu...@apache.org on 2015/02/11 02:48:50 UTC
oozie git commit: OOZIE-1688 New configuration to specify
server-server authentication type
Repository: oozie
Updated Branches:
refs/heads/master 993a8e542 -> 476ec57bd
OOZIE-1688 New configuration to specify server-server authentication type
Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/476ec57b
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/476ec57b
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/476ec57b
Branch: refs/heads/master
Commit: 476ec57bd3a322217d3f2e6eb03ab84a42566ef2
Parents: 993a8e5
Author: Purshotam Shah <pu...@yahoo-inc.com>
Authored: Tue Feb 10 17:48:24 2015 -0800
Committer: Purshotam Shah <pu...@yahoo-inc.com>
Committed: Tue Feb 10 17:48:24 2015 -0800
----------------------------------------------------------------------
.../main/java/org/apache/oozie/util/AuthUrlClient.java | 10 +++++++++-
core/src/main/resources/oozie-default.xml | 8 ++++++++
docs/src/site/twiki/AG_Install.twiki | 13 +++++++++++--
release-log.txt | 1 +
4 files changed, 29 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java b/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java
index 7de18f7..5de8471 100644
--- a/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java
+++ b/core/src/main/java/org/apache/oozie/util/AuthUrlClient.java
@@ -34,10 +34,15 @@ import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.Authenticator;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
+import org.apache.oozie.service.ConfigurationService;
import org.apache.oozie.service.Services;
public class AuthUrlClient {
+ public static final String SERVER_SERVER_AUTH_TYPE = "oozie.server.authentication.type";
+
+ private static XLog LOG = XLog.getLog(AuthUrlClient.class);
+
static private Class<? extends Authenticator> AuthenticatorClass = null;
static private String errorMsg = null;
@@ -78,7 +83,10 @@ public class AuthUrlClient {
// Adapted from
// org.apache.hadoop.security.authentication.server.AuthenticationFilter#init
Class<? extends Authenticator> authClass;
- String authName = Services.get().getConf().get("oozie.authentication.type");
+ String authName = ConfigurationService.get(SERVER_SERVER_AUTH_TYPE);
+
+ LOG.info("Oozie server-server authentication is " + authName);
+
String authClassName;
if (authName == null) {
throw new IOException("Authentication type must be specified: simple|kerberos|<class>");
http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/core/src/main/resources/oozie-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml
index 207a912..6f76b07 100644
--- a/core/src/main/resources/oozie-default.xml
+++ b/core/src/main/resources/oozie-default.xml
@@ -1970,6 +1970,14 @@
Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#
</description>
</property>
+ <property>
+ <name>oozie.server.authentication.type</name>
+ <value>${oozie.authentication.type}</value>
+ <description>
+ Defines authentication used for Oozie server communicating to other Oozie server over HTTP(s).
+ Supported values are: simple | kerberos | #AUTHENTICATOR_CLASSNAME#
+ </description>
+ </property>
<property>
<name>oozie.authentication.token.validity</name>
http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/docs/src/site/twiki/AG_Install.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki
index 7936fc5..2e478ec 100644
--- a/docs/src/site/twiki/AG_Install.twiki
+++ b/docs/src/site/twiki/AG_Install.twiki
@@ -867,8 +867,17 @@ be missing information until that server comes back up.
---++++ Security
-Oozie HA works with the existing Oozie security framework and settings.
-See the [[AG_Install#Oozie_User_Authentication_Configuration][Oozie User Authentication Configuration]] section for details.
+Oozie HA works with the existing Oozie security framework and settings. For HA features (log streaming, share lib, etc) to work
+properly in a secure setup, following property can be set on each server. If =oozie.server.authentication.type= is not set, then
+server-server authentication will fall back on =oozie.authentication.type=.
+
+<verbatim>
+<property>
+ <name>oozie.server.authentication.type</name>
+ <value>kerberos</value>
+</property>
+</verbatim>
+
Below are some additional steps and information specific to Oozie HA:
1. (Optional) To prevent unauthorized users or programs from interacting with or reading the znodes used by Oozie in ZooKeeper,
http://git-wip-us.apache.org/repos/asf/oozie/blob/476ec57b/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 2cec842..42bceeb 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
-- Oozie 4.2.0 release (trunk - unreleased)
+OOZIE-1688 New configuration to specify server-server authentication type (puru)
OOZIE-2090 wf:lastErrorNode does not take into account transient errors with retries (ranter)
OOZIE-2133 Support getting ATS delegation tokens for tez jobs (rohini)
OOZIE-2131 Add flag to sqoop action to skip hbase delegation token generation (abec via ranter)