Password Encryption in Azkaban Configuration Files
Passwords in azkaban.local.properties and azkaban-users.xml can an should be protected. The azkaban.local.properties setting 'azkaban.passwordEncryption' determines the encryption method Azkaban will use to decrypt during startup.
There are 3 available types of encryption that can be set in 'azkaban.passwordEncryption':
- NONE - passwords are in plain text
- DPAPI - passwords are encrypted using Windows DPAPI user based encryption then encoded as Unicode base-64 strings
- WALLET - passwords are plain text strings which represent the name of a credential in a scriptable password manager
Using Windows DPAPI Encryption
If you have a Windows based Azkaban Web server using DPAPI properties file password encryption then you will need to first encrypt your passwords with DPAPI using the Windows User that the Web Server Service runs under. See this section for creating the encrypted DPAPI base64 strings with PowerShell, or use the Encryption Utility to perform the same function.
Using WALLET Encryption
When using WALLET, in azkaban.local.properties you need to set the value of azkaban.walletCmd to the system command that retrieves the password from the wallet or password manager. For example, if you are using the Linux password manager 'pass' from https://www.passwordstore.org/ the value for azkaban.walletCmd would be set to 'pass $AZKABAN_WALLET_STRING'
In WALLET the passwords in the azkaban.local.properties and azkaban-users.xml file are just plain text strings that represent a credential name stored in the password manager. At run time Azkaban executes the azkaban.walletCmd to retrieve the actual password for the given property.
For more information on Wallet configuration using a standard Linux password manager, visit https://www.passwordstore.org/
Setting up Azkaban Users
For details on how to set up additional users refer to the Setting Up Users section.
Adjusting Properties
The main properties file azkaban.local.properties for Azkaban Servers is located in the root folder of the Web or Executor Server installation directory. Most changes to the settings in this file will not take effect until the Azkaban Web or Executor Server is restarted.
Work Directory
- Property:
wherescape.job.workdir - Description: This setting is not present by default but can be added and set to an existing directory where all the WhereScape job work files will be created. Useful in dev environments where you have multiple schedulers running on a single machine and want to avoid conflicting temporary files.
- Defaults to the following locations if the setting is not present or empty:
Linux defaults to
/tmpWindows defaults to the defined temp directory of the user (for the system user this will be
C:\Windows\Temp)
Bin Directory
- Property:
wherescape.red.bindir- this setting allows you to set the path that will be returned by the WSL_BINDIR environment variable in scripts.
Setting up HTTPS
Azkaban Web Server can optionally use HTTPS for secure communications, this setup is not covered by the WhereScape Scheduler Installation wizard however you can adjust the azkaban.local.properties file, post install, in the Azkaban Web Server and in each Azkabsn Executor Server. Or you can opt for a command line installation wherein these properties could be added by an installation script.
Azkaban Web Server supports SSL socket connectors, which means a keystore will have to be available. You can follow the steps to generate a valid jetty keystore provided here. Once a keystore file has been created, Azkaban must be given its location and password.
Here are the properties available to configure HTTPS via the azkaban.local.properties file:
# HTTPS settings jetty.use.ssl=true jetty.ssl.port=8443 jetty.port=0 # disable HTTP if you only want HTTPS # Path to your keystore jetty.keystore=/opt/azkaban/conf/keystore jetty.password=changeit jetty.keypassword=changeit # Optional: if you have a truststore # jetty.truststore=/opt/azkaban/conf/truststore # jetty.trustpassword=changeit
After enabling HTTPS ensure your Azkaban URL's in the Scheduler Configuration within RED are updated.