Oozie HA configuration with Kerberos

Please follow below steps to setup Oozie HA configuration with Kerberos environment.

 

Step 1:  Configure mysql/oracle database for Oozie as HA configuration does not work with default embedded Derby Database.

Please refer https://community.hortonworks.com/articles/183/moving-oozie-to-mysql-with-ambari.html for steps to migrate Oozie database.

 

Step 2: Login to Ambari UI, goto hosts, select host on which you need to add additional Oozie server, Click on Add and select Oozie server.

Please refer below screenshot, for e.g. I will add oozie server on kk3.hwxblr.com

 

oozie ha configuration with kerberos

 

Step 3: Setup Load balancer

Please refer this blogpost for setting up lightweight open source linux based load balancer.

 

Step4: Configure Kerberos for your cluster if not already done.

Please refer our blog for automated Kerberos configuration.

 

Step 5: Login to Ambari UI and set below configuration parameters for Oozie service.

oozie.zookeeper.connection.string=<zookeeper1>:2181,<zookeeper2>:2181,<zookeeper3>:2181

oozie.services.ext=org.apache.oozie.service.ZKLocksService,org.apache.oozie.service.ZKXLogStreamingService,org.apache.oozie.service.ZKJobsConcurrencyService

oozie.base.url=http://<loadbalancer.hostname>:11000/oozie

oozie.authentication.kerberos.principal=HTTP/<load-balancer-hostname>@REALM

 

Step 6: In oozie-env section of Oozie configuration, uncomment OOZIE_BASE_URL property and set it to http://<load-balancer-host>:11000/oozie

for example:

export OOZIE_BASE_URL="http://<loadbalance.hostname>:11000/oozie"

 

Step 7: Login to your KDC and create HTTP principal for load balancer.

kadmin.local -q "addprinc -randkey HTTP/<loadbalancer_hostname>@<realm>"

 

Step 8: Append “HTTP/<load-balancer-hostname>@<realm>” to spnego.service.keytab on both the Oozie servers. ( You need do it on all the Oozie servers if running more than 2 )

For example: In my case I have test1-ambari-server.hwxblr.com as loadbalancer and kk2/kk4 are my oozie servers

Keytab on kk2.hwxblr.com:

[root@kk2 ~]# klist -ket /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
 3 05/03/16 16:44:05 HTTP/kk2.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
 3 05/03/16 16:44:05 HTTP/kk2.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
 3 05/03/16 16:44:05 HTTP/kk2.hwxblr.com@HWX.COM (des3-cbc-sha1)
 3 05/03/16 16:44:05 HTTP/kk2.hwxblr.com@HWX.COM (arcfour-hmac)
 5 05/03/16 16:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
 5 05/03/16 16:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
 5 05/03/16 16:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (des3-cbc-sha1)
 5 05/03/16 16:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (arcfour-hmac)

 

Keytab on kk4.hwxblr.com:

[root@kk4 ~]# klist -ket /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
 3 05/03/16 16:42:43 HTTP/kk4.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
 3 05/03/16 16:42:43 HTTP/kk4.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
 3 05/03/16 16:42:43 HTTP/kk4.hwxblr.com@HWX.COM (des3-cbc-sha1)
 3 05/03/16 16:42:43 HTTP/kk4.hwxblr.com@HWX.COM (arcfour-hmac)
 4 05/03/16 16:43:18 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
 4 05/03/16 16:43:18 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
 4 05/03/16 16:43:18 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (des3-cbc-sha1)
 4 05/03/16 16:43:18 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (arcfour-hmac)

 

Step 9: Make sure you have saved updated keytabs on both the Oozie hosts.

 

Step 10: Restart Oozie services via Ambari UI

 

Step 11: Configure your browser for spnego authentication using steps given at below URLs

http://www.ghostar.org/2015/06/google-chrome-spnego-and-webhdfs-on-hadoop/

http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html

 

Step 12: Hit http://<load-balancer-hostname>:11000/oozie and you should be able to see oozie UI :)

 

 

Please comment if you have any feedback/questions/suggestions. Happy Hadooping!! :)

 

 

 

 

 

 

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>