Configuring Oozie HA with Kerberos

In CDH 5, you can configure multiple active Oozie servers against the same database, providing high availability for Oozie. For instructions on setting up Oozie HA, see Oozie High Availability

Let's assume a setup with three hosts running Oozie servers: host1.example.com, host2.example.com, and host3.example.com. The Load Balancer which directs traffic to the Oozie servers is running on oozie.example.com. Perform the following steps to configure Kerberos authentication on this Oozie HA-enabled deployment:
  1. Assuming your Kerberos realm is EXAMPLE.COM, create the following Kerberos principals:
    • oozie/host1.example.com@EXAMPLE.COM
    • oozie/host2.example.com@EXAMPLE.COM
    • oozie/host3.example.com@EXAMPLE.COM
    • HTTP/host1.example.com@EXAMPLE.COM
    • HTTP/host2.example.com@EXAMPLE.COM
    • HTTP/host3.example.com@EXAMPLE.COM
    • For the Load Balancer: HTTP/oozie.example.com@EXAMPLE.COM
  2. On each host, create a keytab file with the corresponding oozie and HTTP principals from the list above. Each keytab file should also have the Load Balancer's HTTP principal. For example, the keytab file on host1 would comprise:
    • oozie/host1.example.com@EXAMPLE.COM
    • HTTP/host1.example.com@EXAMPLE.COM
    • HTTP/oozie.example.com@EXAMPLE.COM
  3. On each host, configure the following properties in oozie-site.xml:
<property>
    <name>oozie.authentication.kerberos.principal</name>
    <value>HTTP/<hostname>@$EXAMPLE.COM</value>
    <description>
        Indicates the Kerberos principal to be used for HTTP endpoint.
        The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.
    </description>
</property>

<property>
    <name>oozie.authentication.kerberos.keytab</name>
    <value>${oozie.service.HadoopAccessorService.keytab.file}</value>
    <description>
        Location of the keytab file with the credentials for the principal.
        Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop.
    </description>
</property>