[
https://issues.apache.org/jira/browse/OOZIE-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14061282#comment-14061282
]
Arpit Gupta commented on OOZIE-1865:
------------------------------------
Thanks [~rkanter]. Do you think it makes sense to separate out oozie service
and spengo login and use * only for the spengo principal? That way we can still
separate out the spnego principal from service principal keytabs.
> Oozie servers can't talk to each other with Oozie HA and Kerberos
> -----------------------------------------------------------------
>
> Key: OOZIE-1865
> URL: https://issues.apache.org/jira/browse/OOZIE-1865
> Project: Oozie
> Issue Type: Bug
> Components: HA
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: trunk
>
> Attachments: OOZIE-1865.patch, OOZIE-1865.patch
>
>
> When you use Oozie HA with Kerberos, you have to set
> {{oozie.authentication.kerberos.principal}} to {{HTTP/<load-balancer-host>}}
> instead of {{HTTP/<oozie-server-host>}}. This allows clients to connect to
> any of the Oozie servers through the load balancer. However, it also blocks
> clients from directly talking to any of the Oozie servers. In and of itself,
> that's okay, but it turns out that in most cases, it also blocks the Oozie
> servers from talking to each other, namely for log streaming, the
> sharelibupdate command, and collating instrumentation/metrics (OOZIE-1676).
> Ultimately, what we need to do is allow Oozie to use both
> {{HTTP/<load-balancer-host>}} instead of {{HTTP/<oozie-server-host>}} at the
> same time so that clients (including Oozie servers, users, Web UI, etc) can
> talk to Oozie both through the load balancer and directly. If my
> understanding of HADOOP-10158 is correct, HADOOP-10158 adds this ability.
> For this JIRA, we should update Oozie to take advantage of HADOOP-10158.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
