I took a look at the HDP version of the hcatalog example and I'm not sure
how it will work with a secure cluster. Specifically, even though the
workflow has <credentials>, the coordinator does not. Are there any extra
steps or config (either in Oozie or HCat) that must be done to get
authentication to work for the hcat URIs in the coordinator?
thanks
- Robert
On Fri, Apr 11, 2014 at 2:27 AM, Mohammad Islam <misla...@yahoo.com> wrote:
> Venkat and Bowen,
> Very good proposal!
> Looking forward for the patch.
>
> Regard,s
> Mohammad
> On Thursday, April 10, 2014 8:01 PM, Venkat Ranganathan <
> vranganat...@hortonworks.com> wrote:
>
> Bowen
>
> Look into the HDP 2.0 oozie hcatalog examples dir where we have the
> changes needed to run the hcatalog sample in a secure cluster (we also
> validated in the secure encrypted cluster).
>
> It would be good to contribute it to the oozie codebase.
>
> Venkat
>
>
> On Thu, Apr 10, 2014 at 1:27 PM, Mona Chitnis <chit...@yahoo-inc.com>
> wrote:
> > That¹s right.
> >
> > On 4/9/14, 7:03 PM, "bowen zhang" <bowenzhang...@yahoo.com> wrote:
> >
> >>Do you need to add "cred" into action in workflow.xml? Like, instead of
> >>having "<action name="pig-node">", you need "<action name="pig-node"
> >>cred="hcatauth">"
> >>bowen
> >>
> >>
> >>On Wednesday, April 9, 2014 6:13 PM, Mona Chitnis <chit...@yahoo-inc.com
> >
> >>wrote:
> >>
> >>Hello Bowen,
> >>
> >>1) In the oozie action, you would need to add <credentials> tag with the
> >>following properties and specify type hcat. Then the HCatCredentialHelper
> >>class would be invoked for accessing tables through HCatalog.
> >>
> >><credential name='hcatauth' type='hcat'>
> >> <property>
> >> <name>hcat.metastore.uri</name>
> >> <value>${HCAT_URI}</value>
> >> </property>
> >> <property>
> >> <name>hcat.metastore.principal</name>
> >> <value>${HCAT_PRINCIPAL}</value>
> >> </property>
> >></credential>
> >>
> >>2) For the messaging medium between Oozie and HCatalog (if you are
> >>utilizing notifications), you¹d need to setup separate authentication
> >>mechanisms for Oozie and HCatalog to authenticate with the message broker
> >>and for Oozie workflows to be able to consume messages meant only for
> >>that user. In Yahoo, we use an internal Certificate Authority based
> >>mechanism. I haven¹t tried to setup secure Oozie with something like
> >>secure ActiveMQ yet.
> >>
> >>3) hive-site.xml is included in Oozie classpath. This has the
> >>security-oriented properties enabled
> >>E.g.
> >>
> >><property>
> >>
> >> <name>hive.security.authorization.enabled</name>
> >>
> >> <value>true</value>
> >>
> >> <description>Perform authorization checks on the client</description>
> >>
> >></property>
> >>
> >>If I¹ve missed out something, other dev¹s please comment.
> >>
> >>‹
> >>Mona
> >>
> >>
> >>On 4/9/14, 5:50 PM, "bowen zhang"
> >><bowenzhang...@yahoo.com<mailto:bowenzhang...@yahoo.com>> wrote:
> >>
> >>Hi all,
> >>I am wondering whether we have docs for oozie-hcat integration in secure
> >>mode. Because I assume we should need more configs for secure mode. Can
> >>anyone from yahoo comment on this?
> >>
> >>Bowen
> >
>
> --
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity to
> which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>
