Configuring Oozie HA with Kerberos

In CDH 5, you can configure multiple active Oozie servers against the same database, providing high availability for Oozie. For instructions on setting up Oozie HA, see Oozie High Availability

Let's assume you have three hosts running Oozie servers, host1.example.com, host2.example.com, host3.example.com and the Load Balancer running on oozie.example.com. The Load Balancer directs traffic to the Oozie servers: host1, host2 and host3. For such a configuration, assuming your Kerberos realm is EXAMPLE.COM, create the following Kerberos principals:
  • oozie/host1.example.com@EXAMPLE.COM
  • oozie/host2.example.com@EXAMPLE.COM
  • oozie/host3.example.com@EXAMPLE.COM
  • HTTP/host1.example.com@EXAMPLE.COM
  • HTTP/host2.example.com@EXAMPLE.COM
  • HTTP/host3.example.com@EXAMPLE.COM
  • HTTP/oozie.example.com@EXAMPLE.COM

On each of the hosts, host1, host2 and host3, create a keytab file with its corresponding oozie and HTTP principals from the list above. All keytab files should also have the load balancer's HTTP principal. Hence, each keytab file should have 3 principals in all.

Edit the following property in the Oozie server configuration file, oozie-site.xml:
<property>
<name>oozie.authentication.kerberos.principal</name>
<value>*</value>
</property>