You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@oozie.apache.org by rk...@apache.org on 2015/09/05 00:04:23 UTC

[1/2] oozie git commit: OOZIE-2318 Provide better solution for specifying SSL truststore to Oozie Client (rkanter)

Repository: oozie
Updated Branches:
  refs/heads/master 8b5eedb5b -> 396fcc6c4


OOZIE-2318 Provide better solution for specifying SSL truststore to Oozie Client (rkanter)


Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/63d3cdfe
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/63d3cdfe
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/63d3cdfe

Branch: refs/heads/master
Commit: 63d3cdfe088029e81785f5485f0d7c72de1b1f12
Parents: 8b5eedb
Author: Robert Kanter <rk...@cloudera.com>
Authored: Fri Sep 4 15:02:53 2015 -0700
Committer: Robert Kanter <rk...@cloudera.com>
Committed: Fri Sep 4 15:02:53 2015 -0700

----------------------------------------------------------------------
 docs/src/site/twiki/AG_Install.twiki | 24 ++++++++++++++----------
 release-log.txt                      |  1 +
 2 files changed, 15 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/oozie/blob/63d3cdfe/docs/src/site/twiki/AG_Install.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki
index 0ce2609..f043e7a 100644
--- a/docs/src/site/twiki/AG_Install.twiki
+++ b/docs/src/site/twiki/AG_Install.twiki
@@ -663,7 +663,7 @@ For example, if your Oozie server was at oozie.int.example.com, then you would d
 keytool -genkeypair -alias tomcat -keyalg RSA -dname "CN=oozie.int.example.com" -storepass password -keypass password
 </verbatim>
 If you're going to be using Oozie HA, it's simplest if you have a single certificate that all Oozie servers in the HA group can use.
-To do that, you'll need to use a wild on the subdomain it belongs to:
+To do that, you'll need to use a wildcard on the subdomain it belongs to:
 <verbatim>
 keytool -genkeypair -alias tomcat -keyalg RSA -dname "CN=*.int.example.com" -storepass password -keypass password
 </verbatim>
@@ -671,9 +671,16 @@ The above would work on any server in the int.example.com domain.
 
 2. Run the following command (as the Oozie user) to export a certificate file from the keystore file:
 <verbatim>
-keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert
+keytool -exportcert -alias tomcat -file path/to/anywhere/certificate.cert -storepass password
 </verbatim>
-You'll need this later if you're using the Oozie client (or other Java-based client); otherwise, you can skip this step.
+
+3. Run the following command (as any user) to create a truststore containing the certificate we just exported:
+<verbatim>
+keytool -import -alias tomcat -file path/to/certificate.cert -keystore /path/to/anywhere/oozie.truststore -storepass password2
+</verbatim>
+You'll need the =oozie.truststore= later if you're using the Oozie client (or other Java-based client); otherwise, you can skip
+this step.  The =storepass= value here is only used to verify or change the truststore and isn't typically required when only
+reading from it; so it does not have to be given to users only using the client.
 
 ---++++To use a Certificate from a Certificate Authority
 
@@ -706,16 +713,13 @@ This will configure Oozie to use HTTPS instead of HTTP.  To revert back to HTTP,
 The first two steps are only necessary if you are using a Self-Signed Certificate; the third is required either way.
 Also, these steps must be done on every machine where you intend to use the Oozie Client.
 
-1. Copy or download the .cert file onto the client machine
+1. Copy or download the oozie.truststore file onto the client machine
 
-2. Run the following command (as root) to import the certificate into the JRE's keystore. This will allow any Java program,
-including the Oozie client, to connect to the Oozie Server using your self-signed certificate.
+2. When using any Java-based program, you'll need to pass =-Djavax.net.ssl.trustStore= to the JVM.  To
+do this for the Oozie client:
 <verbatim>
-sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}
+export OOZIE_CLIENT_OPTS='-Djavax.net.ssl.trustStore=/path/to/oozie.truststore'
 </verbatim>
-Where ${JRE_cacerts} is the path to the JRE's certs file.  It's location may differ depending on the Operating System, but its
-typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME}
-(you may want to create a backup copy of this file first). The default password is =changeit=.
 
 3. When using the Oozie Client, you will need to use https://oozie.server.hostname:11443/oozie instead of
 http://oozie.server.hostname:11000/oozie -- Java will not automatically redirect from the http address to the https address.

http://git-wip-us.apache.org/repos/asf/oozie/blob/63d3cdfe/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 9c1a102..88e03fc 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
 -- Oozie 4.3.0 release (trunk - unreleased)
 
+OOZIE-2318 Provide better solution for specifying SSL truststore to Oozie Client (rkanter)
 OOZIE-2344 Enabling 'oozie.action.jobinfo.enable' doesn't inject the job information into the map/reduce job's configuration. (akshayrai09 via rkanter)
 OOZIE-2350 Package changes for release (shwethags)
 OOZIE-2347 Remove unnecessary new Configuration()/new jobConf() calls from oozie (puru)

[2/2] oozie git commit: OOZIE-2355 Hive2 Action doesn't pass along oozie configs to jobconf (rkanter)

Posted by rk...@apache.org.

OOZIE-2355 Hive2 Action doesn't pass along oozie configs to jobconf (rkanter)


Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/396fcc6c
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/396fcc6c
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/396fcc6c

Branch: refs/heads/master
Commit: 396fcc6c453b28ad09a5940a390ca1a88b33cbfa
Parents: 63d3cdf
Author: Robert Kanter <rk...@cloudera.com>
Authored: Fri Sep 4 15:03:41 2015 -0700
Committer: Robert Kanter <rk...@cloudera.com>
Committed: Fri Sep 4 15:03:41 2015 -0700

----------------------------------------------------------------------
 examples/src/main/apps/hive2/script.q                         | 1 +
 release-log.txt                                               | 1 +
 .../main/java/org/apache/oozie/action/hadoop/Hive2Main.java   | 7 +++++++
 3 files changed, 9 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/oozie/blob/396fcc6c/examples/src/main/apps/hive2/script.q
----------------------------------------------------------------------
diff --git a/examples/src/main/apps/hive2/script.q b/examples/src/main/apps/hive2/script.q
index 3abc757..37d6564 100644
--- a/examples/src/main/apps/hive2/script.q
+++ b/examples/src/main/apps/hive2/script.q
@@ -15,5 +15,6 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
+DROP TABLE IF EXISTS test;
 CREATE EXTERNAL TABLE test (a INT) STORED AS TEXTFILE LOCATION '${INPUT}';
 INSERT OVERWRITE DIRECTORY '${OUTPUT}' SELECT * FROM test;

http://git-wip-us.apache.org/repos/asf/oozie/blob/396fcc6c/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 88e03fc..0bd450e 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
 -- Oozie 4.3.0 release (trunk - unreleased)
 
+OOZIE-2355 Hive2 Action doesn't pass along oozie configs to jobconf (rkanter)
 OOZIE-2318 Provide better solution for specifying SSL truststore to Oozie Client (rkanter)
 OOZIE-2344 Enabling 'oozie.action.jobinfo.enable' doesn't inject the job information into the map/reduce job's configuration. (akshayrai09 via rkanter)
 OOZIE-2350 Package changes for release (shwethags)

http://git-wip-us.apache.org/repos/asf/oozie/blob/396fcc6c/sharelib/hive2/src/main/java/org/apache/oozie/action/hadoop/Hive2Main.java
----------------------------------------------------------------------
diff --git a/sharelib/hive2/src/main/java/org/apache/oozie/action/hadoop/Hive2Main.java b/sharelib/hive2/src/main/java/org/apache/oozie/action/hadoop/Hive2Main.java
index 97af28b..56f5451 100644
--- a/sharelib/hive2/src/main/java/org/apache/oozie/action/hadoop/Hive2Main.java
+++ b/sharelib/hive2/src/main/java/org/apache/oozie/action/hadoop/Hive2Main.java
@@ -27,6 +27,7 @@ import java.io.PrintStream;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
 
@@ -210,10 +211,16 @@ public class Hive2Main extends LauncherMain {
             arguments.add(beelineArg);
         }
 
+        // Propagate MR job tag if defined
         if (actionConf.get(LauncherMain.MAPREDUCE_JOB_TAGS) != null ) {
             arguments.add("--hiveconf");
             arguments.add("mapreduce.job.tags=" + actionConf.get(LauncherMain.MAPREDUCE_JOB_TAGS));
         }
+        // Propagate "oozie.*" configs
+        for (Map.Entry<String, String> oozieConfig : actionConf.getValByRegex("^oozie\\.(?!launcher).+").entrySet()) {
+            arguments.add("--hiveconf");
+            arguments.add(oozieConfig.getKey() + "=" + oozieConfig.getValue());
+        }
 
         System.out.println("Beeline command arguments :");
         for (String arg : arguments) {