[
https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14061532#comment-14061532
]
Robert Kanter commented on OOZIE-1865:
--------------------------------------
The oozie.service.HadoopAccessorService properties are for Oozie talking to
Hadoop and are independent of the oozie.authentication properties, which are
for the HTTP endpoint.
Ok, I think I understand what you want to do and I don't think we actually need
another JIRA for that. Is this what you're trying to do?
- put the HTTP principals in to a keytab specified by
{{oozie.authentication.kerberos.keytab}}
- put the oozie service principal in a keytab specified by
{{oozie.service.HadoopAccessorService.keytab.file}}
- set {{oozie.authentication.kerberos.principal}} to {{*}}
- set {{oozie.service.HadoopAccessorService.kerberos.principal}} to the oozie
principal
Keep in mind that the patch for OOZIE-1865 doesn't change any code; it's only
docs changes on how to properly configure Oozie HA to allow HTTP connections
both directly and through the load balancer. But only if you have Hadoop 2.5.0
or later (more specifically, you need HADOOP-10158, so you should backport that
to HDP or this won't work). Otherwise, you can only allow one.
Makes sense?
> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
> Key: OOZIE-1865
> URL: https://issues.apache.org/jira/browse/OOZIE-1865
> Project: Oozie
> Issue Type: Bug
> Components: HA
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: trunk
>
> Attachments: OOZIE-1865.patch, OOZIE-1865.patch
>
>
> When you use Oozie HA with Kerberos, you have to set
> {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}}
> instead of {{HTTP/<oozie-server-host>}}. This allows clients to connect to
> any of the Oozie servers through the load balancer. However, it also blocks
> clients from directly talking to any of the Oozie servers. In and of itself,
> that's okay, but it turns out that in most cases, it also blocks the Oozie
> servers from talking to each other, namely for log streaming, the
> sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).
> Ultimately, what we need to do is allow Oozie to use both
> {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the
> same time so that clients (including Oozie servers, users, Web UI, etc) can
> talk to Oozie both through the load balancer and directly. If my
> understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.
> For this JIRA, we should update Oozie to take advantage of HADOOP-10158.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
