[ https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14061317#comment-14061317 ]
Robert Kanter commented on OOZIE-1865: -------------------------------------- The * actually only looks for SPNEGO principals. Specifically, in the code, it looks for this pattern: {{"HTTP/.*"}}. To clarify, you want to allow the oozie/ principal (which is used by Oozie to talk to other things) to be able to be specified as a separate config property? I think that should be fine as long as it's backwards compatible with the current behavior. > Oozie servers can't talk to each other with Oozie HA and Kerberos > ----------------------------------------------------------------- > > Key: OOZIE-1865 > URL: https://issues.apache.org/jira/browse/OOZIE-1865 > Project: Oozie > Issue Type: Bug > Components: HA > Affects Versions: trunk > Reporter: Robert Kanter > Assignee: Robert Kanter > Fix For: trunk > > Attachments: OOZIE-1865.patch, OOZIE-1865.patch > > > When you use Oozie HA with Kerberos, you have to set > {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}} > instead of {{HTTP/<oozie-server-host>}}. This allows clients to connect to > any of the Oozie servers through the load balancer. However, it also blocks > clients from directly talking to any of the Oozie servers. In and of itself, > that's okay, but it turns out that in most cases, it also blocks the Oozie > servers from talking to each other, namely for log streaming, the > sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676). > Ultimately, what we need to do is allow Oozie to use both > {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the > same time so that clients (including Oozie servers, users, Web UI, etc) can > talk to Oozie both through the load balancer and directly. If my > understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability. > For this JIRA, we should update Oozie to take advantage of HADOOP-10158. -- This message was sent by Atlassian JIRA (v6.2#6252)