[jira] [Commented] (OOZIE-1865) Oozie servers can't talk to each other with Oozie HA and Kerberos

Fri, 13 Jun 2014 18:22:33 -0700 

    [ 
https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14031385#comment-14031385
 ] 

Robert Kanter commented on OOZIE-1865:
--------------------------------------

I looked into this and doing the above idea is hacky and requires a lot of 
extra configuration properties.  I've just tested using a hadoop-auth with 
HADOOP-10158 and it works very easily; all you have to do is put both HTTP 
principals (and the oozie principal) into the same keytab and set 
{{oozie.authentication.kerberos.principal}} to {{*}} (asterisks).  

I think we should just use this JIRA to update the Oozie HA Install 
documentation to mention this limitation and that compiling against Hadoop-Auth 
from Hadoop 2.5.0 or later with the settings I just mentioned will work.

> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
>                 Key: OOZIE-1865
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1865
>             Project: Oozie
>          Issue Type: Bug
>          Components: HA
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>
> When you use Oozie HA with Kerberos, you have to set 
> {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}} 
> instead of {{HTTP/<oozie-server-host>}}.  This allows clients to connect to 
> any of the Oozie servers through the load balancer.  However, it also blocks 
> clients from directly talking to any of the Oozie servers.  In and of itself, 
> that's okay, but it turns out that in most cases, it also blocks the Oozie 
> servers from talking to each other, namely for log streaming, the 
> sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).  
> Ultimately, what we need to do is allow Oozie to use both 
> {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the 
> same time so that clients (including Oozie servers, users, Web UI, etc) can 
> talk to Oozie both through the load balancer and directly.  If my 
> understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.  
> For this JIRA, we should update Oozie to take advantage of HADOOP-10158.  



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to