Versions Compared

Old Version 2

changes.mady.by.user Morgan Mackeson-Ellis

Saved on

compared with

New Version Current

changes.mady.by.user Morgan Mackeson-Ellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Password Encryption in Azkaban Configuration Files

Passwords in azkaban.local.properties and azkaban-users.xml can an should be protected. The azkaban.local.properties setting 'azkaban.passwordEncryption' determines the encryption method Azkaban  will use to decrypt during startup.

There are 3 available types of encryption that can be set in 'azkaban.passwordEncryption':

  • NONE - passwords are in plain text
  • DPAPI - passwords are encrypted using Windows DPAPI user based encryption then encoded as Unicode base-64 strings
  • WALLET - passwords are plain text strings which represent the name of a credential in a scriptable password manager

Using Windows DPAPI Encryption

If you have a Windows based Azkaban Web server using DPAPI properties file password encryption then you will need to first encrypt your passwords with DPAPI using the Windows User that the Web Server Service runs under. See this section for creating the encrypted DPAPI base64 strings with PowerShell, or use the Encryption Utility to perform the same function.

Using WALLET Encryption

When using WALLET then you need to set a value for azkaban.walletCmd in azkaban.local.properties which is used as a system command to retrieve the password from the wallet or password manager. For more information on Wallet configuration using a standard Linux password manager, visit  https://www.passwordstore.org/

When using WALLET the passwords in the azkaban.local.properties and azkaban-users.xml file are just plain text strings that represent a credential name stored in the password manager. At run time Azkaban will execute the azkaban.walletCmd to retrieve the actual password for the given property.

Prior to executing the wallet command Azkaban will set the environment variable AZKABAN_WALLET_STRING to the property value to be looked up. Therefore if I was using the Linux password manager 'pass' from https://www.passwordstore.org/ my azkaban.walletCmd would be set to: 'pass $AZKABAN_WALLET_STRING'

Setting up Azkaban Users

If you require additional users for the Azkaban dashboard or API, other than the default users, then they can be added by the following process:

...

<web_server_dir>\<server_name>\azkaban-users.xmlNOTE: That the passwords in this file should be encrypted or not based on the azkaban.local.properties setting azkaban.passwordEncryption, which can be: NONE (all pwds are entered in plain text), WALLET (preferred method in  Linux) or DPAPI (default for Windows). If you havea Windows based wed server using DPAPI properties file pwd encryption then you will need to first encrypt your pwds with DPAPI using the Windows User that the Web Server Service runs under. See this section for creating the encrypted DPAPI base64 strings with PowerShell, or use the Encryption Utility to perform the same function.

For example:

Code Block
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<azkaban-users>
  <role name="admin" permissions="ADMIN"/>
  <role name="read" permissions="READ"/>
  <role name="executor" permissions="EXECUTE"/>
  <user username="admin" password="admin" roles="admin"/>
  <user username="readonly" password="readonly" roles="read"/>
  <user username="executor" password="executor" roles="executor,read"/>
</azkaban-users>

...