Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Oozie has an authorization model for admin access to oozie facilities. Oozie
admin users
- have write access to all jobs
- have write access to admin operations
When authorization server security is enabled by config property
oozie.service.AuthorizationService.authorization.enabled (which is set to true
in our installations - the default is false), then admin users are determined
by either membership in a group identified by the property
oozie.service.AuthorizationService.admin.groups.
Since we don't set either of them, we expect users to set the admin usernames
in the file /etc/oozie/conf/adminusers.txt
See [Oozie User Authorization Configuration](https://oozie.apache.org/docs/4.0
.0/AG_Install.html#User_Authorization_Configuration) for more details on admin
user configuration
Because we want to do sharelib update operations which are write access
operations, the user performing these should be an Oozie admin user. If not,
the admin operation will fail.
We should explicitly add the oozie install user as the admin user by adding
the user to adminusers.txt
This feature is also needed for rolling upgrade scenarios to explicitly update
sharelib after upgrading the servers.
Attachments
Issue Links
- links to
