Thanks Ram! Even if corp-behind-nat + headless + Krb5 works, is it worth testing?
To me, oozie+hdfsproxy is one set. Is there any realistic usage for running oozie but not having hdfs(hdfsproxy) access? Koji From: Ram Marti <[email protected]<mailto:[email protected]>> Date: Thu, 22 Mar 2012 15:18:28 -0700 To: Ryota Egashira <[email protected]<mailto:[email protected]>>, Koji Noguchi <[email protected]<mailto:[email protected]>> Cc: Rajiv Chittajallu <[email protected]<mailto:[email protected]>>, Grid Solutions <[email protected]<mailto:[email protected]>> Subject: Re: Grid access for oozie/hdfsproxy/launcher and corp/colo Ryota, Corp-behind-NAT headless NONE NO NO I think Corp-Behind-Nat with Krb5 for headless user will work, I think. We should test this. Grid does not enforce IP address restriction on the Krb5 tickets. Other wise this looks correct. BTW, good timing. I have the CI folks confused (apparently they got different advice from different folks). I will work with them and document how CI can use the Grid and pass it by solutions. - Ram From: Ryota Egashira <[email protected]<mailto:[email protected]>> Date: Thu, 22 Mar 2012 10:21:29 -0700 To: Koji Noguchi <[email protected]<mailto:[email protected]>>, Ram Marti <[email protected]<mailto:[email protected]>> Cc: Rajiv Chittajallu <[email protected]<mailto:[email protected]>>, Grid Solutions <[email protected]<mailto:[email protected]>> Subject: Re: Grid access for oozie/hdfsproxy/launcher and corp/colo Still work in progress, but here is twiki http://twiki.corp.yahoo.com/view/Grid/LauncherRecommendation Ryota On 3/22/12 8:52 AM, "Koji Noguchi" <[email protected]> wrote: +Ram(rmarti@) Ram, does the table look right to you? Koji From: Koji Noguchi <[email protected]> Date: Mon, 19 Mar 2012 16:43:48 -0700 To: Ryota Egashira <[email protected]> Cc: Rajiv Chittajallu <[email protected]>, Grid Solutions <[email protected]> Subject: Grid access for oozie/hdfsproxy/launcher and corp/colo Ryota, Rajive created a table for us. I think this is a good way to look at it. | Oozie | hdfsproxy | Launcher | ===================================================================== Corp(SNV) regular | BY | exception | exception | Corp(SNV) headless | KRB5/YCA | exception | exception | Corp-NAT regular | BY | NO | NO | Corp-NAT headless | NONE | NO | NO | Corp-in-colo regular | KRB5(DS) | KRB5(DS) | OK | Corp-in-colo headless | KRB5/YCA | KRB5/YCA | OK | Colo regular | KRB5(DS) | KRB5(DS) | OK | Colo headless | KRB5/YCA | KRB5/YCA | OK | ===================================================================== Notes: Both Corp-IN-Colo and Colo (Sec Zone 50/40) machines can be treated the same ============== Corp* + Oozie + user = BY is useless since hdfsproxy doesn't allow it. Yahoo as a company is moving toward having corp-in-colo dev boxes (for gsdata/ucdev like boxes). Desktop, it's too unreliable from SE/paranoid view that we should just give up on supporting these as grid client. Laptop, even worse. Koji
