This is an automatically generated e-mail. To reply, visit:

(Updated July 31, 2016, 10 p.m.)

Review request for Ambari, Alejandro Fernandez, Andrew Onischuk, Jonathan 
Hurley, Jayush Luniya, Sumit Mohanty, Vitalyi Brodetskyi, and Venkat 

Bugs: AMBARI-17968

Repository: ambari

Description (updated)

Changed `oozie-site/oozie.authentication.kerberos.principal` and 
`oozie-site/oozie.authentication.kerberos.keytab` properties are reverted while 
regenerating keytab files.

The changed properties are needed to support Oozie in high availability (HA) 
mode with failover enabled via a load balancing proxy server.

# Cause
The relevant part of the Kerberos descriptor for Oozie is:
              "name": "/spnego",
              "principal": {
              "keytab": {

Because of this, certain Kerberos-related operations (like Regenerate Keytabs) 
resets the values of `oozie-site/oozie.authentication.kerberos.principal` and 
`oozie-site/oozie.authentication.kerberos.keytab` to match the principal name 
and keytab file of the Kerberos identity definition for `/spnego`.

However, in HA, the properties need to be something like:
oozie.authentication.kerberos.prinipal= "*"
oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"

# Solution
After enabling HA and either before or after enabling Kerberos, the following 
`oozie-site` properties may be set:
* `oozie.ha.authentication.kerberos.principal`
* `oozie.ha.authentication.kerberos.keytab`

If either exist when configuring Oozie, the value of the property will be used 
to update the relevant `oozie.authentication.kerberos.*` property.

For example:
* if `oozie.ha.authentication.kerberos.principal` is set, its value will set 
used to set `oozie.authentication.kerberos.principal`
* if `oozie.ha.authentication.kerberos.keytab` is set, its value will set used 
to set `oozie.authentication.kerberos.keytab`
Note: One or both may be set. 

So even though `oozie.authentication.kerberos.principal` will contain a 
principal name like `HTTP/_HOST@SOME.REALM`, when writing the oozie-site.xml 
file, the value for `oozie.authentication.kerberos.principal` will be written 
out as the value set for `oozie.ha.authentication.kerberos.principal`, which 
would typically be "*", when HA is enabled for Oozie.


  ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py 99d6dec 

Diff: https://reviews.apache.org/r/50647/diff/


Manually tested

# Local test results: 

[INFO] ------------------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:19.684s
[INFO] Finished at: Sun Jul 31 21:36:24 EDT 2016
[INFO] Final Memory: 71M/1705M
[INFO] ------------------------------------------------------------------------

# Jenkins test results: PENDING


Robert Levas

Reply via email to