You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by mo...@apache.org on 2013/03/18 22:18:22 UTC
svn commit: r1458007 - in /oozie/branches/branch-4.0: ./
client/src/main/java/org/apache/oozie/cli/ core/src/main/conf/
distro/src/main/bin/ distro/src/main/tomcat/ docs/src/site/twiki/
src/main/assemblies/ webapp/src/main/webapp/WEB-INF/
Author: mona
Date: Mon Mar 18 21:18:22 2013
New Revision: 1458007
URL: http://svn.apache.org/r1458007
Log:
Sync OOZIE-1242 and OOZIE-1233 with trunk
Added:
oozie/branches/branch-4.0/distro/src/main/tomcat/ssl-server.xml
oozie/branches/branch-4.0/webapp/src/main/webapp/WEB-INF/ssl-web.xml
Modified:
oozie/branches/branch-4.0/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
oozie/branches/branch-4.0/core/src/main/conf/oozie-env.sh
oozie/branches/branch-4.0/distro/src/main/bin/addtowar.sh
oozie/branches/branch-4.0/distro/src/main/bin/oozie-setup.sh
oozie/branches/branch-4.0/distro/src/main/bin/oozie-sys.sh
oozie/branches/branch-4.0/distro/src/main/bin/oozied.sh
oozie/branches/branch-4.0/docs/src/site/twiki/AG_Install.twiki
oozie/branches/branch-4.0/docs/src/site/twiki/DG_CommandLineTool.twiki
oozie/branches/branch-4.0/docs/src/site/twiki/DG_QuickStart.twiki
oozie/branches/branch-4.0/release-log.txt
oozie/branches/branch-4.0/src/main/assemblies/distro.xml
Modified: oozie/branches/branch-4.0/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/client/src/main/java/org/apache/oozie/cli/OozieCLI.java?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/client/src/main/java/org/apache/oozie/cli/OozieCLI.java (original)
+++ oozie/branches/branch-4.0/client/src/main/java/org/apache/oozie/cli/OozieCLI.java Mon Mar 18 21:18:22 2013
@@ -242,7 +242,7 @@ public class OozieCLI {
Option debug = new Option(DEBUG_OPTION, false, "Use debug mode to see debugging statements on stdout");
Option rerun = new Option(RERUN_OPTION, true,
"rerun a job (coordinator requires -action or -date, bundle requires -coordinator or -date)");
- Option dryrun = new Option(DRYRUN_OPTION, false, "Dryrun a workflow (since 3.4) or coordinator (since 2.0) job without"
+ Option dryrun = new Option(DRYRUN_OPTION, false, "Dryrun a workflow (since 3.3.2) or coordinator (since 2.0) job without"
+ " actually executing it");
Option start = new Option(START_OPTION, true, "start a job");
Option suspend = new Option(SUSPEND_OPTION, true, "suspend a job");
Modified: oozie/branches/branch-4.0/core/src/main/conf/oozie-env.sh
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/core/src/main/conf/oozie-env.sh?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/core/src/main/conf/oozie-env.sh (original)
+++ oozie/branches/branch-4.0/core/src/main/conf/oozie-env.sh Mon Mar 18 21:18:22 2013
@@ -44,6 +44,10 @@ export CATALINA_OPTS="$CATALINA_OPTS -Xm
#
# export OOZIE_HTTP_PORT=11000
+# The port Oozie server runs if using SSL (HTTPS)
+#
+# export OOZIE_HTTPS_PORT=11443
+
# The host name Oozie server runs on
#
# export OOZIE_HTTP_HOSTNAME=`hostname -f`
@@ -52,3 +56,10 @@ export CATALINA_OPTS="$CATALINA_OPTS -Xm
#
# export OOZIE_BASE_URL="http://${OOZIE_HTTP_HOSTNAME}:${OOZIE_HTTP_PORT}/oozie"
+# The location of the keystore for the Oozie server if using SSL (HTTPS)
+#
+# export OOZIE_HTTPS_KEYSTORE_FILE=${HOME}/.keystore
+
+# The password of the keystore for the Oozie server if using SSL (HTTPS)
+#
+# export OOZIE_HTTPS_KEYSTORE_PASS=password
Modified: oozie/branches/branch-4.0/distro/src/main/bin/addtowar.sh
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/distro/src/main/bin/addtowar.sh?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/distro/src/main/bin/addtowar.sh (original)
+++ oozie/branches/branch-4.0/distro/src/main/bin/addtowar.sh Mon Mar 18 21:18:22 2013
@@ -132,6 +132,7 @@ function printUsage() {
echo " [-hadoopJarsSNAPSHOT] (if Hadoop jars version on system is SNAPSHOT)"
echo " [-extjs EXTJS_PATH] (expanded or ZIP)"
echo " [-jars JARS_PATH] (multiple JAR path separated by ':')"
+ echo " [-secure]"
echo
}
@@ -153,6 +154,8 @@ extjsHome=""
jarsPath=""
inputWar=""
outputWar=""
+secure=false
+secureConfigsDir="${OOZIE_CONFIG}/ssl"
while [ $# -gt 0 ]
do
@@ -221,6 +224,9 @@ do
exit -1
fi
outputWar=$1
+ elif [ "$1" = "-secure" ]; then
+ shift
+ secure=true
fi
shift
done
@@ -256,6 +262,17 @@ if [ "${addJars}" = "true" ]; then
done
fi
+if [ "${secure}" = "true" ]; then
+ checkFileExists ${secureConfigsDir}/ssl-server.xml
+ checkFileExists ${secureConfigsDir}/ssl-web.xml
+ echo
+ echo "Using SSL (HTTPS)"
+ echo
+else
+ checkFileExists ${secureConfigsDir}/server.xml
+ checkFileExists ${secureConfigsDir}/web.xml
+fi
+
#Unpacking original war
unzip ${inputWar} -d ${tmpWarDir} > /dev/null
checkExec "unzipping Oozie input WAR"
@@ -330,6 +347,16 @@ if [ "${addJars}" = "true" ]; then
done
fi
+if [ "${secure}" = "true" ]; then
+ #Inject the SSL version of web.xml in oozie war
+ cp ${secureConfigsDir}/ssl-web.xml ${tmpWarDir}/WEB-INF/web.xml
+ checkExec "injecting secure web.xml file into staging"
+else
+ #Inject the regular version of web.xml in oozie war
+ cp ${secureConfigsDir}/web.xml ${tmpWarDir}/WEB-INF/web.xml
+ checkExec "injecting regular web.xml file into staging"
+fi
+
#Creating new Oozie WAR
currentDir=`pwd`
cd ${tmpWarDir}
@@ -344,5 +371,16 @@ checkExec "copying new Oozie WAR"
echo
echo "New Oozie WAR file with added '${components}' at ${outputWar}"
echo
+
+if [ "${secure}" = "true" ]; then
+ #Inject the SSL version of server.xml in oozie-server
+ cp ${secureConfigsDir}/ssl-server.xml ${secureConfigsDir}/../../oozie-server/conf/server.xml
+ checkExec "injecting secure server.xml file into oozie-server"
+else
+ #Inject the regular version of server.xml in oozie-server
+ cp ${secureConfigsDir}/server.xml ${secureConfigsDir}/../../oozie-server/conf/server.xml
+ checkExec "injecting regular server.xml file into oozie-server"
+fi
+
cleanUp
exit 0
Modified: oozie/branches/branch-4.0/distro/src/main/bin/oozie-setup.sh
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/distro/src/main/bin/oozie-setup.sh?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/distro/src/main/bin/oozie-setup.sh (original)
+++ oozie/branches/branch-4.0/distro/src/main/bin/oozie-setup.sh Mon Mar 18 21:18:22 2013
@@ -20,11 +20,12 @@
function printUsage() {
echo
echo " Usage : oozie-setup.sh <Command and OPTIONS>"
- echo " prepare-war [-hadoop HADOOP_VERSION HADOOP_PATH] [-extjs EXTJS_PATH] [-jars JARS_PATH]"
+ echo " prepare-war [-hadoop HADOOP_VERSION HADOOP_PATH] [-extjs EXTJS_PATH] [-jars JARS_PATH] [-secure]"
echo " (prepare-war is to prepare war files for oozie)"
echo " (Hadoop version [0.20.1|0.20.2|0.20.104|0.20.200|0.23.x|2.x] and Hadoop install dir)"
echo " (EXTJS_PATH is expanded or ZIP, to enable the Oozie webconsole)"
echo " (JARS_PATH is multiple JAR path separated by ':')"
+ echo " (-secure will configure the war file to use HTTPS (SSL))"
echo " sharelib create -fs FS_URI [-locallib SHARED_LIBRARY] (create sharelib for oozie,"
echo " FS_URI is the fs.default.name"
echo " for hdfs uri; SHARED_LIBRARY, path to the"
@@ -71,6 +72,7 @@ prepareWar=""
inputWar="${OOZIE_HOME}/oozie.war"
outputWar="${CATALINA_BASE}/webapps/oozie.war"
outputWarExpanded="${CATALINA_BASE}/webapps/oozie"
+secure=""
while [ $# -gt 0 ]
do
@@ -134,6 +136,9 @@ do
shift
hadoopPath=$1
addHadoopJars=true
+ elif [ "$1" = "-secure" ]; then
+ shift
+ secure=true
elif [ "$1" = "prepare-war" ]; then
prepareWar=true
else
@@ -199,6 +204,9 @@ else
if [ "${addHadoopJars}" != "" ]; then
OPTIONS="${OPTIONS} -hadoop ${hadoopVersion} ${hadoopPath}"
fi
+ if [ "${secure}" != "" ]; then
+ OPTIONS="${OPTIONS} -secure"
+ fi
${OOZIE_HOME}/bin/addtowar.sh -inputwar ${inputWar} -outputwar ${outputWar} ${OPTIONS}
Modified: oozie/branches/branch-4.0/distro/src/main/bin/oozie-sys.sh
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/distro/src/main/bin/oozie-sys.sh?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/distro/src/main/bin/oozie-sys.sh (original)
+++ oozie/branches/branch-4.0/distro/src/main/bin/oozie-sys.sh Mon Mar 18 21:18:22 2013
@@ -181,6 +181,13 @@ else
print "Using OOZIE_ADMIN_PORT: ${OOZIE_ADMIN_PORT}"
fi
+if [ "${OOZIE_HTTPS_PORT}" = "" ]; then
+ export OOZIE_HTTPS_PORT=11443
+ print "Setting OOZIE_HTTPS_PORT: ${OOZIE_HTTPS_PORT}"
+else
+ print "Using OOZIE_HTTPS_PORT: ${OOZIE_HTTPS_PORT}"
+fi
+
if [ "${OOZIE_BASE_URL}" = "" ]; then
export OOZIE_BASE_URL="http://${OOZIE_HTTP_HOSTNAME}:${OOZIE_HTTP_PORT}/oozie"
print "Setting OOZIE_BASE_URL: ${OOZIE_BASE_URL}"
@@ -195,6 +202,20 @@ else
print "Using CATALINA_BASE: ${CATALINA_BASE}"
fi
+if [ "${OOZIE_HTTPS_KEYSTORE_FILE}" = "" ]; then
+ export OOZIE_HTTPS_KEYSTORE_FILE=${HOME}/.keystore
+ print "Setting OOZIE_HTTPS_KEYSTORE_FILE: ${OOZIE_HTTPS_KEYSTORE_FILE}"
+else
+ print "Using OOZIE_HTTPS_KEYSTORE_FILE: ${OOZIE_HTTPS_KEYSTORE_FILE}"
+fi
+
+if [ "${OOZIE_HTTPS_KEYSTORE_PASS}" = "" ]; then
+ export OOZIE_HTTPS_KEYSTORE_PASS=password
+ print "Setting OOZIE_HTTPS_KEYSTORE_PASS: ${OOZIE_HTTPS_KEYSTORE_PASS}"
+else
+ print "Using OOZIE_HTTPS_KEYSTORE_PASS: ${OOZIE_HTTPS_KEYSTORE_PASS}"
+fi
+
if [ "${CATALINA_OUT}" = "" ]; then
export CATALINA_OUT=${OOZIE_LOG}/catalina.out
print "Setting CATALINA_OUT: ${CATALINA_OUT}"
Modified: oozie/branches/branch-4.0/distro/src/main/bin/oozied.sh
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/distro/src/main/bin/oozied.sh?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/distro/src/main/bin/oozied.sh (original)
+++ oozie/branches/branch-4.0/distro/src/main/bin/oozied.sh Mon Mar 18 21:18:22 2013
@@ -46,8 +46,8 @@ source ${BASEDIR}/bin/oozie-sys.sh
CATALINA=${OOZIE_CATALINA_HOME:-${BASEDIR}/oozie-server}/bin/catalina.sh
setup_catalina_opts() {
- # The Java System property 'oozie.http.port' it is not used by Oozie,
- # it is used in Tomcat's server.xml configuration file
+ # The Java System properties 'oozie.http.port' and 'oozie.https.port' are not
+ # used by Oozie, they are used in Tomcat's server.xml configuration file
#
echo "Using CATALINA_OPTS: ${CATALINA_OPTS}"
@@ -64,7 +64,10 @@ setup_catalina_opts() {
catalina_opts="${catalina_opts} -Doozie.http.hostname=${OOZIE_HTTP_HOSTNAME}";
catalina_opts="${catalina_opts} -Doozie.admin.port=${OOZIE_ADMIN_PORT}";
catalina_opts="${catalina_opts} -Doozie.http.port=${OOZIE_HTTP_PORT}";
+ catalina_opts="${catalina_opts} -Doozie.https.port=${OOZIE_HTTPS_PORT}";
catalina_opts="${catalina_opts} -Doozie.base.url=${OOZIE_BASE_URL}";
+ catalina_opts="${catalina_opts} -Doozie.https.keystore.file=${OOZIE_HTTPS_KEYSTORE_FILE}";
+ catalina_opts="${catalina_opts} -Doozie.https.keystore.pass=${OOZIE_HTTPS_KEYSTORE_PASS}";
# add required native libraries such as compression codecs
catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
Added: oozie/branches/branch-4.0/distro/src/main/tomcat/ssl-server.xml
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/distro/src/main/tomcat/ssl-server.xml?rev=1458007&view=auto
==============================================================================
--- oozie/branches/branch-4.0/distro/src/main/tomcat/ssl-server.xml (added)
+++ oozie/branches/branch-4.0/distro/src/main/tomcat/ssl-server.xml Mon Mar 18 21:18:22 2013
@@ -0,0 +1,150 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- Note: A "Server" is not itself a "Container", so you may not
+ define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/server.html
+ -->
+<Server port="${oozie.admin.port}" shutdown="SHUTDOWN">
+
+ <!--APR library loader. Documentation at /docs/apr.html -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+ <Listener className="org.apache.catalina.core.JasperListener" />
+ <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+ <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+ <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
+ <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
+ <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+
+ <!-- Global JNDI resources
+ Documentation at /docs/jndi-resources-howto.html
+ -->
+ <GlobalNamingResources>
+ <!-- Editable user database that can also be used by
+ UserDatabaseRealm to authenticate users
+ -->
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml" />
+ </GlobalNamingResources>
+
+ <!-- A "Service" is a collection of one or more "Connectors" that share
+ a single "Container" Note: A "Service" is not itself a "Container",
+ so you may not define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/service.html
+ -->
+ <Service name="Catalina">
+
+ <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+ <!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
+ -->
+
+
+ <!-- A "Connector" represents an endpoint by which requests are received
+ and responses are returned. Documentation at :
+ Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+ Java AJP Connector: /docs/config/ajp.html
+ APR (HTTP/AJP) Connector: /docs/apr.html
+ Define a non-SSL HTTP/1.1 Connector on port ${oozie.http.port}
+ -->
+ <Connector port="${oozie.http.port}" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="${oozie.https.port}" />
+ <!-- A "Connector" using the shared thread pool-->
+ <!--
+ <Connector executor="tomcatThreadPool"
+ port="${oozie.http.port}" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443" />
+ -->
+ <!-- Define a SSL HTTP/1.1 Connector on port 8443
+ This connector uses the JSSE configuration, when using APR, the
+ connector should be using the OpenSSL style configuration
+ described in the APR documentation -->
+
+ <Connector port="${oozie.https.port}" protocol="HTTP/1.1" SSLEnabled="true"
+ maxThreads="150" scheme="https" secure="true"
+ clientAuth="false" sslProtocol="TLS"
+ keystoreFile="${oozie.https.keystore.file}"
+ keystorePass="${oozie.https.keystore.pass}" />
+
+ <!-- Define an AJP 1.3 Connector on port 8009 -->
+
+
+
+ <!-- An Engine represents the entry point (within Catalina) that processes
+ every request. The Engine implementation for Tomcat stand alone
+ analyzes the HTTP headers included with the request, and passes them
+ on to the appropriate Host (virtual host).
+ Documentation at /docs/config/engine.html -->
+
+ <!-- You should set jvmRoute to support load-balancing via AJP ie :
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
+ <Engine name="Catalina" defaultHost="localhost">
+
+ <!--For clustering, please take a look at documentation at:
+ /docs/cluster-howto.html (simple how to)
+ /docs/config/cluster.html (reference documentation) -->
+ <!--
+ <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+ -->
+
+ <!-- The request dumper valve dumps useful debugging information about
+ the request and response data received and sent by Tomcat.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
+ -->
+
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+
+ <!-- Define the default virtual host
+ Note: XML Schema validation will not work with Xerces 2.2.
+ -->
+ <Host name="localhost" appBase="webapps"
+ unpackWARs="true" autoDeploy="true"
+ xmlValidation="false" xmlNamespaceAware="false">
+
+ <!-- SingleSignOn valve, share authentication between web applications
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+ -->
+
+ <!-- Access log processes all example.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+ -->
+
+ </Host>
+ </Engine>
+ </Service>
+</Server>
\ No newline at end of file
Modified: oozie/branches/branch-4.0/docs/src/site/twiki/AG_Install.twiki
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/docs/src/site/twiki/AG_Install.twiki?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/docs/src/site/twiki/AG_Install.twiki (original)
+++ oozie/branches/branch-4.0/docs/src/site/twiki/AG_Install.twiki Mon Mar 18 21:18:22 2013
@@ -46,6 +46,15 @@ is =http://${OOZIE_HTTP_HOSTNAME}:${OOZI
owner of the Oozie installation directory matches the user invoking the script. The default
value is undefined and interpreted as a =false=.
+If Oozie is configured to use HTTPS (SSL), then the following environment variables are also used:
+
+*OOZIE_HTTPS_PORT* : The port Oozie server runs when using HTTPS. Default value =11443=.
+
+*OOZIE_HTTPS_KEYSTORE_FILE* : The location of the keystore file containing the certificate information.
+Default value =${HOME}/.keystore= (i.e. the home dir of the Oozie user).
+
+*OOZIE_HTTPS_KEYSTORE_PASS* : The password of the keystore file. Default value =password=.
+
---++ Oozie Server Setup
The =oozie-setup.sh= script prepares the embedded Tomcat server to run Oozie.
@@ -54,11 +63,12 @@ The =oozie-setup.sh= script options are:
<verbatim>
Usage : oozie-setup.sh <OPTIONS>"
- prepare-war [-hadoop HADOOP_VERSION HADOOP_PATH] [-extjs EXTJS_PATH] [-jars JARS_PATH]"
+ prepare-war [-hadoop HADOOP_VERSION HADOOP_PATH] [-extjs EXTJS_PATH] [-jars JARS_PATH] [-secure]"
(prepare-war is to prepare war files for oozie)"
(Hadoop version [0.20.1|0.20.2|0.20.104|0.20.200|0.23.x|2.x] and Hadoop install dir)"
(EXTJS_PATH is expanded or ZIP, to enable the Oozie webconsole)"
(JARS_PATH is multiple JAR path separated by ':')"
+ (-secure will configure the war file to use HTTPS (SSL))"
sharelib create -fs FS_URI [-locallib SHARED_LIBRARY] (create sharelib for oozie,"
FS_URI is the fs.default.name"
for hdfs uri; SHARED_LIBRARY, path to the"
@@ -505,6 +515,93 @@ in =oozie.service.coord.push.check.reque
The defaults for =oozie.service.coord.input.check.requeue.interval= and =oozie.service.coord.push.check.requeue.interval=
are 1 minute and 10 minutes respectively.
+---+++ Setting Up Oozie with HTTPS (SSL)
+
+*IMPORTANT*:
+The default HTTPS configuration will cause all Oozie URLs to use HTTPS except for the JobTracker callback URLs. This is to simply
+configuration (no changes needed outside of Oozie), but this is okay because Oozie doesn't inherently trust the callbacks anyway;
+they are used as hints.
+
+The related environment variables are explained at [[AG_Install#Environment_Setup][Environment Setup]].
+
+You can use either a certificate from a Certificate Authority or a Self-Signed Certificate. Using a self-signed certificate
+requires some additional configuration on each Oozie client machine.
+
+---++++To use a Self-Signed Certificate
+There are many ways to create a Self-Signed Certificate, this is just one way. We will be using the keytool program, which is
+included with your JRE. If its not on your path, you should be able to find it in $JAVA_HOME/bin.
+
+1. Run the following command (as the Oozie user) to create a keystore file:
+<verbatim>
+keytool -genkey -alias tomcat -keyalg RSA
+</verbatim>
+The keystore file will be named =.keystore= and located in the Oozie user's home directory.
+
+2. Run the following command (as the Oozie user); you will be asked a series of questions in an interactive prompt.
+<verbatim>
+keytool -genkey -alias tomcat -keyalg RSA
+</verbatim>
+The password you enter for "keystore password" and "key password for <tomcat>" must be the same; Oozie is configued to use
+"password" by default. If you want to use a password other than "password", you will need to change the =OOZIE_HTTPS_KEYSTORE_PASS=
+environment variable.
+The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the Oozie Server will be
+running.
+
+3. Run the following command (as the Oozie user) to export a certificate file from the keystore file:
+<verbatim>
+keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert
+</verbatim>
+
+---++++To use a Certificate from a Certificate Authority
+
+1. You will need to make a request to a Certificate Authority in order to obtain a proper Certificate; please consult a Certificate
+Authority on this procedure.
+
+2. Once you have your .cert file, run the following command (as the Oozie user) to create a keystore file from your certificate:
+<verbatim>
+keytool -import -alias tomcat -file path/to/certificate.cert
+</verbatim>
+The keystore file will be named =.keystore= and located in the Oozie user's home directory.
+
+---++++Configure the Oozie Server to use SSL (HTTPS)
+
+1. Make sure the Oozie server isn't running
+
+2. Run the following command (as the Oozie user):
+<verbatim>
+oozie-setup.sh prepare-war -secure
+</verbatim>
+This will configure Oozie to use HTTPS instead of HTTP. To revert back to HTTP, simply rerun the command without =-secure=.
+
+3. Start the Oozie server
+
+---++++Configure the Oozie Client to connect using SSL (HTTPS)
+
+The first two steps are only necessary if you are using a Self-Signed Certificate; the third is required either way.
+Also, these steps must be done on every machine where you intend to use the Oozie Client.
+
+1. Copy or download the .cert file onto the client machine
+
+2. Run the following command (as root) to import the certificate into the JRE's keystore. This will allow any Java program,
+including the Oozie client, to connect to the Oozie Server using your self-signed certificate.
+<verbatim>
+sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}
+</verbatim>
+Where ${JRE_cacerts} is the path to the JRE's certs file. It's location may differ depending on the Operating System, but its
+typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME}
+(you may want to create a backup copy of this file first). The default password is =changeit=.
+
+3. When using the Oozie Client, you will need to use https://oozie.server.hostname:11443/oozie instead of
+http://oozie.server.hostname:11000/oozie -- Java will not automatically redirect from the http address to the https address.
+
+---++++Connect to the Oozie Web UI using SSL (HTTPS)
+
+1. Use https://oozie.server.hostname:11443/oozie
+though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie
+
+*IMPORTANT*: If using a Self-Signed Certificate, your browser will warn you that it can't verify the certificate or something
+similar. You will probably have to add your certificate as an exception.
+
---+++ Fine Tuning an Oozie Server
Refer to the [[./oozie-default.xml][oozie-default.xml]] for details.
Modified: oozie/branches/branch-4.0/docs/src/site/twiki/DG_CommandLineTool.twiki
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/docs/src/site/twiki/DG_CommandLineTool.twiki?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/docs/src/site/twiki/DG_CommandLineTool.twiki (original)
+++ oozie/branches/branch-4.0/docs/src/site/twiki/DG_CommandLineTool.twiki Mon Mar 18 21:18:22 2013
@@ -34,7 +34,7 @@ usage:
-date <arg> coordinator/bundle rerun on action dates (requires -rerun)
-definition <arg> job definition
-doas <arg> doAs user, impersonates as the specified user
- -dryrun Dryrun a workflow (since 3.4) or coordinator (since 2.0) job without actually executing it
+ -dryrun Dryrun a workflow (since 3.3.2) or coordinator (since 2.0) job without actually executing it
-info <arg> info of a job
-kill <arg> kill a job
-len <arg> number of actions (default TOTAL ACTIONS, requires -info)
@@ -518,7 +518,7 @@ specified path must be an HDFS path.
---+++ Dryrun of Workflow Job
-* This feature is only supported in Oozie 3.4 or later.
+* This feature is only supported in Oozie 3.3.2 or later.
Example:
Modified: oozie/branches/branch-4.0/docs/src/site/twiki/DG_QuickStart.twiki
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/docs/src/site/twiki/DG_QuickStart.twiki?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/docs/src/site/twiki/DG_QuickStart.twiki (original)
+++ oozie/branches/branch-4.0/docs/src/site/twiki/DG_QuickStart.twiki Mon Mar 18 21:18:22 2013
@@ -86,11 +86,14 @@ If the second argument is omitted, the O
Run the =oozie-setup.sh= script to configure Oozie with all the components added to the *libext/* directory.
<verbatim>
-$ bin/oozie-setup.sh prepare-war [-jars <PATHS>] [-extjs <PATH>]
+$ bin/oozie-setup.sh prepare-war [-jars <PATHS>] [-extjs <PATH>] [-secure]
sharelib create -fs <FS_URI> [-locallib <PATH>]
sharelib upgrade -fs <FS_URI> [-locallib <PATH>]
</verbatim>
+The =-secure= option will configure Oozie to use HTTP (SSL); refer to
+[[AG_Install#Setting_Up_Oozie_with_HTTPS_SSL][Setting Up Oozie with HTTPS (SSL)]] for more details.
+
Create the Oozie DB using the 'ooziedb.sh' command line tool:
<verbatim>
Modified: oozie/branches/branch-4.0/release-log.txt
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/release-log.txt?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/release-log.txt (original)
+++ oozie/branches/branch-4.0/release-log.txt Mon Mar 18 21:18:22 2013
@@ -66,6 +66,8 @@ OOZIE-944 Implement Workflow Generator U
-- Oozie 3.3.2 (unreleased)
+OOZIE-1233 Add ability to configure Oozie to use HTTPS (SSL) (rkanter)
+OOZIE-1242 Dryrun option for workflows mentions version 3.4 when it should be 3.3.2 (rkanter)
OOZIE-1208 Oozie web-console when displaying Coord Job Log for an action gives Format Error (rohini via mona)
OOZIE-1189 add filter option to specify JobID and AppName in SLA CLI command (egashira via mona)
OOZIE-1054 Create script to properly upload sharelib to HDFS (bowenzhangusa via tucu)
Modified: oozie/branches/branch-4.0/src/main/assemblies/distro.xml
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/src/main/assemblies/distro.xml?rev=1458007&r1=1458006&r2=1458007&view=diff
==============================================================================
--- oozie/branches/branch-4.0/src/main/assemblies/distro.xml (original)
+++ oozie/branches/branch-4.0/src/main/assemblies/distro.xml Mon Mar 18 21:18:22 2013
@@ -165,5 +165,23 @@
<outputDirectory>/</outputDirectory>
<fileMode>0444</fileMode>
</file>
+ <!-- Oozie SSL (HTTPS) server.xml -->
+ <file>
+ <source>${basedir}/../distro/src/main/tomcat/ssl-server.xml</source>
+ <outputDirectory>/conf/ssl</outputDirectory>
+ </file>
+ <file>
+ <source>${basedir}/../distro/src/main/tomcat/server.xml</source>
+ <outputDirectory>/conf/ssl</outputDirectory>
+ </file>
+ <!-- Oozie SSL (HTTPS) web.xml -->
+ <file>
+ <source>${basedir}/../webapp/src/main/webapp/WEB-INF/ssl-web.xml</source>
+ <outputDirectory>/conf/ssl</outputDirectory>
+ </file>
+ <file>
+ <source>${basedir}/../webapp/src/main/webapp/WEB-INF/web.xml</source>
+ <outputDirectory>/conf/ssl</outputDirectory>
+ </file>
</files>
</assembly>
Added: oozie/branches/branch-4.0/webapp/src/main/webapp/WEB-INF/ssl-web.xml
URL: http://svn.apache.org/viewvc/oozie/branches/branch-4.0/webapp/src/main/webapp/WEB-INF/ssl-web.xml?rev=1458007&view=auto
==============================================================================
--- oozie/branches/branch-4.0/webapp/src/main/webapp/WEB-INF/ssl-web.xml (added)
+++ oozie/branches/branch-4.0/webapp/src/main/webapp/WEB-INF/ssl-web.xml Mon Mar 18 21:18:22 2013
@@ -0,0 +1,214 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
+
+<web-app>
+ <display-name>OOZIE</display-name>
+
+ <!-- Listeners -->
+ <listener>
+ <listener-class>org.apache.oozie.servlet.ServicesLoader</listener-class>
+ </listener>
+
+ <!-- Servlets -->
+ <servlet>
+ <servlet-name>versions</servlet-name>
+ <display-name>WS API for Workflow Instances</display-name>
+ <servlet-class>org.apache.oozie.servlet.VersionServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>v0admin</servlet-name>
+ <display-name>Oozie admin</display-name>
+ <servlet-class>org.apache.oozie.servlet.V0AdminServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>v1admin</servlet-name>
+ <display-name>Oozie admin</display-name>
+ <servlet-class>org.apache.oozie.servlet.V1AdminServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>callback</servlet-name>
+ <display-name>Callback Notification</display-name>
+ <servlet-class>org.apache.oozie.servlet.CallbackServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>v0jobs</servlet-name>
+ <display-name>WS API for Workflow Jobs</display-name>
+ <servlet-class>org.apache.oozie.servlet.V0JobsServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>v1jobs</servlet-name>
+ <display-name>WS API for Workflow Jobs</display-name>
+ <servlet-class>org.apache.oozie.servlet.V1JobsServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>v0job</servlet-name>
+ <display-name>WS API for a specific Workflow Job</display-name>
+ <servlet-class>org.apache.oozie.servlet.V0JobServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>v1job</servlet-name>
+ <display-name>WS API for a specific Workflow Job</display-name>
+ <servlet-class>org.apache.oozie.servlet.V1JobServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>sla-event</servlet-name>
+ <display-name>WS API for specific SLA Events</display-name>
+ <servlet-class>org.apache.oozie.servlet.SLAServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <!-- servlet-mapping -->
+ <servlet-mapping>
+ <servlet-name>versions</servlet-name>
+ <url-pattern>/versions</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>v0admin</servlet-name>
+ <url-pattern>/v0/admin/*</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>v1admin</servlet-name>
+ <url-pattern>/v1/admin/*</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>callback</servlet-name>
+ <url-pattern>/callback/*</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>v0jobs</servlet-name>
+ <url-pattern>/v0/jobs</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>v1jobs</servlet-name>
+ <url-pattern>/v1/jobs</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>v0job</servlet-name>
+ <url-pattern>/v0/job/*</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>v1job</servlet-name>
+ <url-pattern>/v1/job/*</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>sla-event</servlet-name>
+ <url-pattern>/v1/sla/*</url-pattern>
+ </servlet-mapping>
+
+ <!-- welcome-file -->
+ <welcome-file-list>
+ <welcome-file>index.html</welcome-file>
+ </welcome-file-list>
+
+ <filter>
+ <filter-name>hostnameFilter</filter-name>
+ <filter-class>org.apache.oozie.servlet.HostnameFilter</filter-class>
+ </filter>
+
+ <filter>
+ <filter-name>authenticationfilter</filter-name>
+ <filter-class>org.apache.oozie.servlet.AuthFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>hostnameFilter</filter-name>
+ <url-pattern>*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/versions/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v0/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v1/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/index.html</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>*.js</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/ext-2.2/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/docs/*</url-pattern>
+ </filter-mapping>
+
+ <!-- Require SSL (HTTPS) for everything except callbacks -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Callback</web-resource-name>
+ <url-pattern>/callback/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>NONE</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Oozie Resources</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+</web-app>