-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50647/
-----------------------------------------------------------

(Updated July 31, 2016, 10 p.m.)


Review request for Ambari, Alejandro Fernandez, Andrew Onischuk, Jonathan 
Hurley, Jayush Luniya, Sumit Mohanty, Vitalyi Brodetskyi, and Venkat 
Ranganathan.


Bugs: AMBARI-17968
    https://issues.apache.org/jira/browse/AMBARI-17968


Repository: ambari


Description (updated)
-------

Changed `oozie-site/oozie.authentication.kerberos.principal` and 
`oozie-site/oozie.authentication.kerberos.keytab` properties are reverted while 
regenerating keytab files.

The changed properties are needed to support Oozie in high availability (HA) 
mode with failover enabled via a load balancing proxy server.

# Cause
The relevant part of the Kerberos descriptor for Oozie is:
```
            {
              "name": "/spnego",
              "principal": {
                "configuration": 
"oozie-site/oozie.authentication.kerberos.principal"
              },
              "keytab": {
                "configuration": 
"oozie-site/oozie.authentication.kerberos.keytab"
              }
            }
```

Because of this, certain Kerberos-related operations (like Regenerate Keytabs) 
resets the values of `oozie-site/oozie.authentication.kerberos.principal` and 
`oozie-site/oozie.authentication.kerberos.keytab` to match the principal name 
and keytab file of the Kerberos identity definition for `/spnego`.

However, in HA, the properties need to be something like:
```
oozie.authentication.kerberos.prinipal= "*"
oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"
```

# Solution
After enabling HA and either before or after enabling Kerberos, the following 
`oozie-site` properties may be set:
* `oozie.ha.authentication.kerberos.principal`
* `oozie.ha.authentication.kerberos.keytab`

If either exist when configuring Oozie, the value of the property will be used 
to update the relevant `oozie.authentication.kerberos.*` property.

For example:
* if `oozie.ha.authentication.kerberos.principal` is set, its value will set 
used to set `oozie.authentication.kerberos.principal`
* if `oozie.ha.authentication.kerberos.keytab` is set, its value will set used 
to set `oozie.authentication.kerberos.keytab`
Note: One or both may be set. 

So even though `oozie.authentication.kerberos.principal` will contain a 
principal name like `HTTP/_HOST@SOME.REALM`, when writing the oozie-site.xml 
file, the value for `oozie.authentication.kerberos.principal` will be written 
out as the value set for `oozie.ha.authentication.kerberos.principal`, which 
would typically be "*", when HA is enabled for Oozie.


Diffs
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java
 23c9edc 
  
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py
 00229d3 
  ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py 99d6dec 

Diff: https://reviews.apache.org/r/50647/diff/


Testing
-------

Manually tested

# Local test results: 

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:19.684s
[INFO] Finished at: Sun Jul 31 21:36:24 EDT 2016
[INFO] Final Memory: 71M/1705M
[INFO] ------------------------------------------------------------------------

# Jenkins test results: PENDING


Thanks,

Robert Levas

Reply via email to