You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2014/07/05 03:48:34 UTC

[jira] [Updated] (OOZIE-1865) Oozie servers can't talk to each other with Oozie HA and Kerberos

     [ https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Kanter updated OOZIE-1865:
---------------------------------

    Attachment: OOZIE-1865.patch

On the secret thing, you're right.  In fact, we should make the default use the random number instead of the current default, which is the super-obvious "oozie".  I've removed this stuff from the updated patch, and I've created OOZIE-1917.

{quote}Can you clarify how for earlier versions of Hadoop, setting =oozie.authentication.kerberos.principal= to =HTTP/load-balancer-host@realm= will work for server to server communication even though keytab has the host prinicipals as KerberosAuthenticationHandler does not load the host prinicipals like in HADOOP-10158?{quote}
That's the thing, it doesn't.  With earlier versions of Hadoop, you won't have server to server communication.  You have to choose to either use the load balancer host or the server host; can't have both.  I've made this more clear in the updated patch.

> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
>                 Key: OOZIE-1865
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1865
>             Project: Oozie
>          Issue Type: Bug
>          Components: HA
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: OOZIE-1865.patch, OOZIE-1865.patch
>
>
> When you use Oozie HA with Kerberos, you have to set {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}}.  This allows clients to connect to any of the Oozie servers through the load balancer.  However, it also blocks clients from directly talking to any of the Oozie servers.  In and of itself, that's okay, but it turns out that in most cases, it also blocks the Oozie servers from talking to each other, namely for log streaming, the sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).  
> Ultimately, what we need to do is allow Oozie to use both {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the same time so that clients (including Oozie servers, users, Web UI, etc) can talk to Oozie both through the load balancer and directly.  If my understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.  For this JIRA, we should update Oozie to take advantage of HADOOP-10158.  



--
This message was sent by Atlassian JIRA
(v6.2#6252)