[ https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14061282#comment-14061282 ]
Arpit Gupta commented on OOZIE-1865: ------------------------------------ Thanks [~rkanter]. Do you think it makes sense to separate out oozie service and spengo login and use * only for the spengo principal? That way we can still separate out the spnego principal from service principal keytabs. > Oozie servers can't talk to each other with Oozie HA and Kerberos > ----------------------------------------------------------------- > > Key: OOZIE-1865 > URL: https://issues.apache.org/jira/browse/OOZIE-1865 > Project: Oozie > Issue Type: Bug > Components: HA > Affects Versions: trunk > Reporter: Robert Kanter > Assignee: Robert Kanter > Fix For: trunk > > Attachments: OOZIE-1865.patch, OOZIE-1865.patch > > > When you use Oozie HA with Kerberos, you have to set > {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}} > instead of {{HTTP/<oozie-server-host>}}. This allows clients to connect to > any of the Oozie servers through the load balancer. However, it also blocks > clients from directly talking to any of the Oozie servers. In and of itself, > that's okay, but it turns out that in most cases, it also blocks the Oozie > servers from talking to each other, namely for log streaming, the > sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676). > Ultimately, what we need to do is allow Oozie to use both > {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the > same time so that clients (including Oozie servers, users, Web UI, etc) can > talk to Oozie both through the load balancer and directly. If my > understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability. > For this JIRA, we should update Oozie to take advantage of HADOOP-10158. -- This message was sent by Atlassian JIRA (v6.2#6252)