[jira] [Commented] (OOZIE-1865) Oozie servers can't talk to each other with Oozie HA and Kerberos

Mon, 16 Jun 2014 14:44:23 -0700 

    [ 
https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033039#comment-14033039
 ] 

Robert Kanter commented on OOZIE-1865:
--------------------------------------

I haven't actually tried that, but I think it should work because HADOOP-10158 
only changed KerberosAuthenticationHandler (server-side) and not 
KerberosAuthenticator (client-side).  That said, I was planning on leaving the 
hadoop-auth version alone (2.5.0 is not out yet and using a SNAPSHOT has caused 
problems in the past when they delete the SNAPSHOT jars eventually and you 
can't compile); I was just going to update the documentation to note this 
limitation and that 2.5.0, with some minor config changes, fixes it.  While I'm 
at it, I was also going to add a note that the authentication secret needs to 
be the same on all Oozie servers so they accept each other's tokens.

> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
>                 Key: OOZIE-1865
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1865
>             Project: Oozie
>          Issue Type: Bug
>          Components: HA
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>
> When you use Oozie HA with Kerberos, you have to set 
> {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}} 
> instead of {{HTTP/<oozie-server-host>}}.  This allows clients to connect to 
> any of the Oozie servers through the load balancer.  However, it also blocks 
> clients from directly talking to any of the Oozie servers.  In and of itself, 
> that's okay, but it turns out that in most cases, it also blocks the Oozie 
> servers from talking to each other, namely for log streaming, the 
> sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).  
> Ultimately, what we need to do is allow Oozie to use both 
> {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the 
> same time so that clients (including Oozie servers, users, Web UI, etc) can 
> talk to Oozie both through the load balancer and directly.  If my 
> understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.  
> For this JIRA, we should update Oozie to take advantage of HADOOP-10158.  



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to