Passwords in azkaban.local.properties and azkaban-users.xml can an should be protected. The azkaban.local.properties setting 'azkaban.passwordEncryption' determines the encryption method Azkaban will use to decrypt during startup.
There are 3 available types of encryption that can be set in 'azkaban.passwordEncryption':
If you have a Windows based Azkaban Web server using DPAPI properties file password encryption then you will need to first encrypt your passwords with DPAPI using the Windows User that the Web Server Service runs under. See this section for creating the encrypted DPAPI base64 strings with PowerShell, or use the Encryption Utility to perform the same function.
When using WALLET, in azkaban.local.properties you need to set the value of azkaban.walletCmd to the system command that retrieves the password from the wallet or password manager. For example, if you are using the Linux password manager 'pass' from https://www.passwordstore.org/ the value for azkaban.walletCmd would be set to 'pass $AZKABAN_WALLET_STRING'
In WALLET the passwords in the azkaban.local.properties and azkaban-users.xml file are just plain text strings that represent a credential name stored in the password manager. At run time Azkaban executes the azkaban.walletCmd to retrieve the actual password for the given property.
For more information on Wallet configuration using a standard Linux password manager, visit https://www.passwordstore.org/
For details on how to set up additional users refer to the Setting Up Users section.
The main properties file azkaban.local.properties for Azkaban Servers is located in the root folder of the Web or Executor Server installation directory. Most changes to the settings in this file will not take effect until the Azkaban Web or Executor Server is restarted.
wherescape.job.workdirLinux defaults to /tmp
Windows defaults to the defined temp directory of the user (for the system user this will be C:\Windows\Temp)
wherescape.red.bindir - this setting allows you to set the path that will be returned by the WSL_BINDIR environment variable in scripts.Azkaban Web Server can optionally use HTTPS for secure communications, this setup is not covered by the WhereScape Scheduler Installation wizard however you can adjust the azkaban.local.properties file, post install, in the Azkaban Web Server and in each Azkabsn Executor Server. Or you can opt for a command line installation wherein these properties could be added by an installation script.
Azkaban Web Server supports SSL socket connectors, which means a keystore will have to be available. You can follow the steps to generate a valid jetty keystore provided here. Once a keystore file has been created, Azkaban must be given its location and password.
Here are the properties available to configure HTTPS via the azkaban.local.properties file:
# HTTPS settings jetty.use.ssl=true jetty.ssl.port=8443 jetty.port=0 # disable HTTP if you only want HTTPS # Path to your keystore jetty.keystore=/opt/azkaban/conf/keystore jetty.password=changeit jetty.keypassword=changeit # Optional: if you have a truststore # jetty.truststore=/opt/azkaban/conf/truststore # jetty.trustpassword=changeit |
After enabling HTTPS ensure your Azkaban URL's in the Scheduler Configuration within RED are updated.