Page History
Password Encryption in Azkaban Configuration Files
Passwords in azkaban.local.properties and azkaban-users.xm
l can an should be protected. The azkaban.local.properties setting 'azkaban.passwordEncryption' determines the encryption method Azkaban will use to decrypt during startup.
There are 3 available types of encryption that can be set in 'azkaban.passwordEncryption':
- NONE - passwords are in plain text
- DPAPI - passwords are encrypted using Windows DPAPI user based encryption then encoded as Unicode base-64 strings
- WALLET - passwords are plain text strings which represent the name of a credential in a scriptable password manager
Using Windows DPAPI Encryption
If you have a Windows based Azkaban Web server using DPAPI properties file password encryption then you will need to first encrypt your passwords with DPAPI using the Windows User that the Web Server Service runs under. See this section for creating the encrypted DPAPI base64 strings with PowerShell, or use the Encryption Utility to perform the same function.
Using WALLET Encryption
When using WALLET then you need to set a value for azkaban.walletCmd
in azkaban.local.properties which is used as a system command to retrieve the password from the wallet or password manager. For more information on Wallet configuration using a standard Linux password manager, visit https://www.passwordstore.org/
When using WALLET the passwords in the azkaban.local.properties and azkaban-users.xm
l file are just plain text strings that represent a credential name stored in the password manager. At run time Azkaban will execute the azkaban.walletCmd
to retrieve the actual password for the given property.
Prior to executing the wallet command Azkaban will set the environment variable AZKABAN_WALLET_STRING to the property value to be looked up. Therefore if I was using the Linux password manager 'pass' from https://www.passwordstore.org/ my azkaban.walletCmd
would be set to: 'pass $AZKABAN_WALLET_STRING'
Setting up Azkaban Users
If you require additional users for the Azkaban dashboard or API, other than the default users, then they can be added by the following process:
...
<web_server_dir>\<server_name>\azkaban-users.xmlNOTE: That the passwords in this file should be encrypted or not based on the azkaban.local.properties setting azkaban.passwordEncryption, which can be: NONE (all pwds are entered in plain text), WALLET (preferred method in Linux) or DPAPI (default for Windows). If you havea Windows based wed server using DPAPI properties file pwd encryption then you will need to first encrypt your pwds with DPAPI using the Windows User that the Web Server Service runs under. See this section for creating the encrypted DPAPI base64 strings with PowerShell, or use the Encryption Utility to perform the same function.
For example:
Code Block |
---|
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <azkaban-users> <role name="admin" permissions="ADMIN"/> <role name="read" permissions="READ"/> <role name="executor" permissions="EXECUTE"/> <user username="admin" password="admin" roles="admin"/> <user username="readonly" password="readonly" roles="read"/> <user username="executor" password="executor" roles="executor,read"/> </azkaban-users> |
...