[
https://issues.apache.org/jira/browse/KNOX-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16012963#comment-16012963
]
Larry McCay commented on KNOX-941:
----------------------------------
[~keyki] - this is an interesting case.
I believe this issue is as follows:
1. RangerUI service definition is explicitly asking for the PassAllHeaders
dispatch provider
2. Ranger HA is provided by loadbalancing in an active:active manner unlike
other HA protocols in the hadoop ecosystem
3. the Knox HA Provider assumes the active:passive manner of HA rather than
loadbalancing in an active:active way
3. Knox HA Provider has its own dispatch provider called DefaultHaDispatch
which is replacing the expected PassAllHeaders provider mentioned in #1
There are a couple things to note here:
1. we can certainly look at passing all headers in DefaultHaDispatch as an
enhancement
2. the fact that we can get this to work does not mean that Ranger should
leverage this mechanism as a replacement for loadbalancing of its HTTP resource
requests - the HA Provider does NOT loadbalance
I've set the Fix Version of this issue to 0.13.0 so that we can look at
extending DefaultHaDispatch to send all headers as an enhancement but will
likely change the title if we add that to be more generic.
I believe the correct deployment scenario for Ranger is to have multiple
instances behind a loadbalancer and the Knox RANGERUI service be configured to
point to the loadbalancer for HA and loadbalancing.
> Ranger HA does not work through Knox
> ------------------------------------
>
> Key: KNOX-941
> URL: https://issues.apache.org/jira/browse/KNOX-941
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 0.11.0
> Reporter: Krisztian Horvath
> Fix For: 0.13.0
>
> Attachments: gateway.log, ranger_admin_compact.log, ranger-ha.bp,
> services.xml
>
>
> Ranger Admin runs in HA mode and knox is configured with:
> {code}
> <provider>
> <role>ha</role>
> <name>HaProvider</name>
> <enabled>true</enabled>
> <param>
> <name>RANGERUI</name>
>
> <value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
> </param>
> </provider>
> <service>
> <role>RANGERUI</role>
> <url>http://ip-10-0-2-243.eu-west-1.compute.internal:6080</url>
> <url>http://ip-10-0-2-10.eu-west-1.compute.internal:6080</url>
> </service>
> {code}
> Knox keeps redirecting to the login page. In Ranger log I can see however the
> login was successful so it accepted the credentials. Load-balancing works as
> I stop one of the Ranger Admins I still can reach the UI, but cannot move on
> from the login page. Might be some session issue.
> Attached the knox topology and log file and ranger aggregated log.
> Ranger is installed with Ambari through Blueprints (see attachment)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
