[
https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052618#comment-14052618
]
Rohini Palaniswamy commented on OOZIE-1865:
-------------------------------------------
oozie.authentication.signature.secret - Even though this can be configured,
configuring it as a plain string by user vs the random number generated during
startup would be total no no in terms of security. We should put the random
generated secret on startup in zookeeper and use it from there. Should also
keep changing it on server startup as before keeping only one secret. Can you
remove that part from the documentation? It currently works even if secret is
not same (falls back to authentication and issues a new token) though
inefficient as token will keep getting invalidated by the other server. We can
create a separate jira to put the secret in zookeeper.
"For Hadoop 2.5.0 and later" section looks good. Can you clarify how for
earlier versions of Hadoop, setting =oozie.authentication.kerberos.principal=
to =HTTP/load-balancer-host@realm= will work for server to server communication
even though keytab has the host prinicipals as KerberosAuthenticationHandler
does not load the host prinicipals like in HADOOP-10158?
> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
> Key: OOZIE-1865
> URL: https://issues.apache.org/jira/browse/OOZIE-1865
> Project: Oozie
> Issue Type: Bug
> Components: HA
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Attachments: OOZIE-1865.patch
>
>
> When you use Oozie HA with Kerberos, you have to set
> {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}}
> instead of {{HTTP/<oozie-server-host>}}. This allows clients to connect to
> any of the Oozie servers through the load balancer. However, it also blocks
> clients from directly talking to any of the Oozie servers. In and of itself,
> that's okay, but it turns out that in most cases, it also blocks the Oozie
> servers from talking to each other, namely for log streaming, the
> sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).
> Ultimately, what we need to do is allow Oozie to use both
> {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the
> same time so that clients (including Oozie servers, users, Web UI, etc) can
> talk to Oozie both through the load balancer and directly. If my
> understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.
> For this JIRA, we should update Oozie to take advantage of HADOOP-10158.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
