You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2015/09/04 03:38:45 UTC

[jira] [Updated] (OOZIE-2356) Add a way to enable/disable credentials in a workflow

     [ https://issues.apache.org/jira/browse/OOZIE-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Kanter updated OOZIE-2356:
---------------------------------
    Attachment: OOZIE-2356.001.patch

The patch adds the job-level {{oozie.credentials.skip}} property, which defaults to false.  It also makes some improvements in skipping some stuff if we're not going to load credentials to be more efficient.  Unit test and docs too.  

> Add a way to enable/disable credentials in a workflow
> -----------------------------------------------------
>
>                 Key: OOZIE-2356
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2356
>             Project: Oozie
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: OOZIE-2356.001.patch
>
>
> Currently, in a Kerberos cluster, you can use the {{<credentials>}} section to tell Oozie to get delegation tokens for HCat/Metastore, HS2, HBase, etc. However, this is defined in the workflow.xml, which means that Oozie will always try to get those tokens, even in an non-secure cluster, where it will likely fail. We should add a mechanism to enable/disable getting credentials so that the same workflow.xml can be used in both a secure and non-secure environment; as it is now, you have to maintain two copies of the workflow.xml.
> We can do this fairly simply by adding a job-level property (e.g. oozie.credentials.skip=true) that would skip getting delegation tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)