You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by an...@apache.org on 2018/09/14 14:07:13 UTC
[07/11] oozie git commit: OOZIE-2734 [docs] Switch from TWiki to
Markdown (asalamon74 via andras.piros, pbacsko, gezapeti)
http://git-wip-us.apache.org/repos/asf/oozie/blob/4e5b3cb5/docs/src/site/twiki/DG_ActionAuthentication.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/DG_ActionAuthentication.twiki b/docs/src/site/twiki/DG_ActionAuthentication.twiki
index bbf2d57..d280baf 100644
--- a/docs/src/site/twiki/DG_ActionAuthentication.twiki
+++ b/docs/src/site/twiki/DG_ActionAuthentication.twiki
@@ -1,12 +1,12 @@
-<noautolink>
-[[index][::Go back to Oozie Documentation Index::]]
----+!! Action Authentication
+[::Go back to Oozie Documentation Index::](index.html)
-%TOC%
+# Action Authentication
----++ Background
+<!-- MACRO{toc|fromDepth=1|toDepth=4} -->
+
+## Background
A secure cluster requires that actions have been authenticated (typically via Kerberos). However, due to the way that Oozie runs
actions, Kerberos credentials are not easily made available to actions launched by Oozie. For many action types, this is not a
@@ -20,17 +20,18 @@ For these situations, Oozie will have to use its Kerberos credentials to obtain
behalf of the user from the service in question. The details of what this means is beyond the scope of this documentation, but
basically, Oozie needs some extra configuration in the workflow so that it can obtain this delegation token.
----++ Oozie Server Configuration
+## Oozie Server Configuration
The code to obtain delegation tokens is pluggable so that it is easy to add support for different services by simply subclassing
org.apache.oozie.action.hadoop.Credentials to retrieve a delegation token from the service and add it to the Configuration.
Out of the box, Oozie already comes with support for some credential types
-(see [[DG_ActionAuthentication#Built-in_Credentials_Implementations][Built-in Credentials Implementations]]).
+(see [Built-in Credentials Implementations](DG_ActionAuthentication.html#Built-in_Credentials_Implementations)).
The credential classes that Oozie should load are specified by the following property in oozie-site.xml. The left hand side of the
equals sign is the type for the credential type, while the right hand side is the class.
-<verbatim>
+
+```
<property>
<name>oozie.credentials.credentialclasses</name>
<value>
@@ -39,19 +40,20 @@ equals sign is the type for the credential type, while the right hand side is th
hive2=org.apache.oozie.action.hadoop.Hive2Credentials
</value>
</property>
-</verbatim>
+```
----++ Workflow Changes
+## Workflow Changes
-The user should add a =credentials= section to the top of their workflow that contains 1 or more =credential= sections. Each of
-these =credential= sections contains a name for the credential, the type for the credential, and any configuration properties
-needed by that type of credential for obtaining a delegation token. The =credentials= section is available in workflow schema
+The user should add a `credentials` section to the top of their workflow that contains 1 or more `credential` sections. Each of
+these `credential` sections contains a name for the credential, the type for the credential, and any configuration properties
+needed by that type of credential for obtaining a delegation token. The `credentials` section is available in workflow schema
version 0.3 and later.
For example, the following workflow is configured to obtain an HCatalog delegation token, which is given to a Pig action so that the
Pig action can talk to a secure HCatalog:
-<verbatim>
+
+```
<workflow-app xmlns='uri:oozie:workflow:0.4' name='pig-wf'>
<credentials>
<credential name='my-hcat-creds' type='hcat'>
@@ -80,41 +82,41 @@ Pig action can talk to a secure HCatalog:
</action>
...
</workflow-app>
-</verbatim>
+```
-The type of the =credential= is "hcat", which is the type name we gave for the HCatCredentials class in oozie-site.xml. We gave
-the =credential= a name, "my-hcat-creds", which can be whatever you want; we then specify cred='my-hcat-creds' in the Pig action,
+The type of the `credential` is "hcat", which is the type name we gave for the HCatCredentials class in oozie-site.xml. We gave
+the `credential` a name, "my-hcat-creds", which can be whatever you want; we then specify cred='my-hcat-creds' in the Pig action,
so that Oozie will include these credentials with the action. You can include multiple credentials with an action by specifying
-a comma-separated list of =credential= names. And finally, the HCatCredentials required two properties (the metastore URI and
+a comma-separated list of `credential` names. And finally, the HCatCredentials required two properties (the metastore URI and
principal), which we also specified.
-Adding the =credentials= section to a workflow and referencing it in an action will make Oozie always try to obtain that delegation
+Adding the `credentials` section to a workflow and referencing it in an action will make Oozie always try to obtain that delegation
token. Ordinarily, this would mean that you cannot re-use this workflow in a non-secure cluster without editing it because trying
-to obtain the delegation token will likely fail. However, you can tell Oozie to ignore the =credentials= for a workflow by setting
-the job-level property =oozie.credentials.skip= to =true=; this will allow you to use the same workflow.xml in a secure and
-non-secure cluster by simply changing the job-level property at runtime. If omitted or set to =false=, Oozie will handle
-the =credentials= section normally. In addition, you can also set this property at the action-level or server-level to skip getting
+to obtain the delegation token will likely fail. However, you can tell Oozie to ignore the `credentials` for a workflow by setting
+the job-level property `oozie.credentials.skip` to `true`; this will allow you to use the same workflow.xml in a secure and
+non-secure cluster by simply changing the job-level property at runtime. If omitted or set to `false`, Oozie will handle
+the `credentials` section normally. In addition, you can also set this property at the action-level or server-level to skip getting
credentials for just that action or for all workflows, respectively. The order of priority is this:
- 1. =oozie.credentials.skip= in the =configuration= section of an action, if set
- 1. =oozie.credentials.skip= in the job.properties for a workflow, if set
- 1. =oozie.credentials.skip= in oozie-site.xml for all workflows, if set
+ 1. `oozie.credentials.skip` in the `configuration` section of an action, if set
+ 1. `oozie.credentials.skip` in the job.properties for a workflow, if set
+ 1. `oozie.credentials.skip` in oozie-site.xml for all workflows, if set
1. (don't skip)
----++ Built-in Credentials Implementations
+## Built-in Credentials Implementations
Oozie currently comes with the following Credentials implementations:
- 1. HCatalog and Hive Metastore: =org.apache.oozie.action.hadoop.HCatCredentials=
- 1. HBase: =org.apache.oozie.action.hadoop.HBaseCredentials=
- 1. Hive Server 2: =org.apache.oozie.action.hadoop.Hive2Credentials=
+ 1. HCatalog and Hive Metastore: `org.apache.oozie.action.hadoop.HCatCredentials`
+ 1. HBase: `org.apache.oozie.action.hadoop.HBaseCredentials`
+ 1. Hive Server 2: `org.apache.oozie.action.hadoop.Hive2Credentials`
HCatCredentials requires these two properties:
- 1. =hcat.metastore.principal= or hive.metastore.kerberos.principal
- 1. =hcat.metastore.uri= or hive.metastore.uris
+ 1. `hcat.metastore.principal` or hive.metastore.kerberos.principal
+ 1. `hcat.metastore.uri` or hive.metastore.uris
-*Note:* The HCatalog Metastore and Hive Metastore are one and the same and so the "hcat" type credential can also be used to talk
+**Note:** The HCatalog Metastore and Hive Metastore are one and the same and so the "hcat" type credential can also be used to talk
to a secure Hive Metastore, though the property names would still start with "hcat.".
HBase does not require any additional properties since the hbase-site.xml on the Oozie server provides necessary information
@@ -122,9 +124,9 @@ to obtain a delegation token; though properties can be overwritten here if desir
Hive2Credentials requires these two properties:
- 1. =hive2.server.principal=
- 1. =hive2.jdbc.url=
+ 1. `hive2.server.principal`
+ 1. `hive2.jdbc.url`
+
+[::Go back to Oozie Documentation Index::](index.html)
-[[index][::Go back to Oozie Documentation Index::]]
-</noautolink>