----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/50647/#review144299 -----------------------------------------------------------
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py (line 150) <https://reviews.apache.org/r/50647/#comment210306> Will the removal of the check cause issues for Ambari upgrade for a deployed 2.1 or 2.2 cluster? - Sumit Mohanty On Aug. 1, 2016, 2 a.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/50647/ > ----------------------------------------------------------- > > (Updated Aug. 1, 2016, 2 a.m.) > > > Review request for Ambari, Alejandro Fernandez, Andrew Onischuk, Jonathan > Hurley, Jayush Luniya, Sumit Mohanty, Vitalyi Brodetskyi, and Venkat > Ranganathan. > > > Bugs: AMBARI-17968 > https://issues.apache.org/jira/browse/AMBARI-17968 > > > Repository: ambari > > > Description > ------- > > Changed `oozie-site/oozie.authentication.kerberos.principal` and > `oozie-site/oozie.authentication.kerberos.keytab` properties are reverted > while regenerating keytab files. > > The changed properties are needed to support Oozie in high availability (HA) > mode with failover enabled via a load balancing proxy server. > > # Cause > The relevant part of the Kerberos descriptor for Oozie is: > ``` > { > "name": "/spnego", > "principal": { > "configuration": > "oozie-site/oozie.authentication.kerberos.principal" > }, > "keytab": { > "configuration": > "oozie-site/oozie.authentication.kerberos.keytab" > } > } > ``` > > Because of this, certain Kerberos-related operations (like Regenerate > Keytabs) resets the values of > `oozie-site/oozie.authentication.kerberos.principal` and > `oozie-site/oozie.authentication.kerberos.keytab` to match the principal name > and keytab file of the Kerberos identity definition for `/spnego`. > > However, in HA, the properties need to be something like: > ``` > oozie.authentication.kerberos.prinipal= "*" > oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab" > ``` > > # Solution > After enabling HA and either before or after enabling Kerberos, the following > `oozie-site` properties may be set: > * `oozie.ha.authentication.kerberos.principal` > * `oozie.ha.authentication.kerberos.keytab` > > If either exist when configuring Oozie, the value of the property will be > used to update the relevant `oozie.authentication.kerberos.*` property. > > For example: > * if `oozie.ha.authentication.kerberos.principal` is set, its value will set > used to set `oozie.authentication.kerberos.principal` > * if `oozie.ha.authentication.kerberos.keytab` is set, its value will set > used to set `oozie.authentication.kerberos.keytab` > Note: One or both may be set. > > So even though `oozie.authentication.kerberos.principal` will contain a > principal name like `HTTP/_HOST@SOME.REALM`, when writing the oozie-site.xml > file, the value for `oozie.authentication.kerberos.principal` will be written > out as the value set for `oozie.ha.authentication.kerberos.principal`, which > would typically be "*", when HA is enabled for Oozie. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/BlueprintConfigurationProcessor.java > 23c9edc > > ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/package/scripts/params_linux.py > 00229d3 > ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py > 99d6dec > > Diff: https://reviews.apache.org/r/50647/diff/ > > > Testing > ------- > > Manually tested > > # Local test results: > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 1:19.684s > [INFO] Finished at: Sun Jul 31 21:36:24 EDT 2016 > [INFO] Final Memory: 71M/1705M > [INFO] > ------------------------------------------------------------------------ > > # Jenkins test results: PENDING > > > Thanks, > > Robert Levas > >