[jira] [Commented] (OOZIE-1865) Oozie servers can't talk to each other with Oozie HA and Kerberos

[Purshotam Shah (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017429#comment-14017429
 ] 

Purshotam Shah commented on OOZIE-1865:
---------------------------------------

We had similar issue while testing with HA.
To fix this we use two authentication model. We  first authentication with  
virtual IP principal and if it's fail then with host principal.
Unfortunately we don't use Oozie code for this.
We have to support few of our own authentication model, so we have overridden 
it.
 
Here is the logic.
{code}
 public AuthenticationToken authenticate(HttpServletRequest request, 
HttpServletResponse response)
            throws IOException, AuthenticationException {

        AuthenticationToken token = null;
        for (AuthenticationHandler handler : handlers) {
            try {
                token = handler.authenticate(request, response);
            }
            catch (AuthenticationException e) {
                if (handler instanceof YKerberosAuthenticationHandler && 
kerberosHandlerHost != null) {
                    LOG.info("VIP authentication failed, trying with host 
principal");
                    token = kerberosHandlerHost.authenticate(request, response);
                }
            }
            if (token != null) {
                return token;
            }
        }
        return null;
    }
{code}

> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
>                 Key: OOZIE-1865
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1865
>             Project: Oozie
>          Issue Type: Bug
>          Components: HA
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>
> When you use Oozie HA with Kerberos, you have to set 
> {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}} 
> instead of {{HTTP/<oozie-server-host>}}.  This allows clients to connect to 
> any of the Oozie servers through the load balancer.  However, it also blocks 
> clients from directly talking to any of the Oozie servers.  In and of itself, 
> that's okay, but it turns out that in most cases, it also blocks the Oozie 
> servers from talking to each other, namely for log streaming, the 
> sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).  
> Ultimately, what we need to do is allow Oozie to use both 
> {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the 
> same time so that clients (including Oozie servers, users, Web UI, etc) can 
> talk to Oozie both through the load balancer and directly.  If my 
> understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.  
> For this JIRA, we should update Oozie to take advantage of HADOOP-10158.  



--
This message was sent by Atlassian JIRA
(v6.2#6252)