ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-17968) Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab are reverted while regenerating keytab files
Date Mon, 01 Aug 2016 01:53:20 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-17968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-17968:
----------------------------------
    Attachment: AMBARI-17968_trunk_01.patch
                AMBARI-17968_branch-2.4_01.patch

> Changed oozie.authentication.kerberos.principal and oozie.authentication.kerberos.keytab
are reverted while regenerating keytab files
> -------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-17968
>                 URL: https://issues.apache.org/jira/browse/AMBARI-17968
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Blocker
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-17968_branch-2.4_01.patch, AMBARI-17968_trunk_01.patch
>
>
> Changed {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
properties are reverted while regenerating keytab files.
> The changed properties are needed to support Oozie in high availability (HA) mode with
failover enabled via a load balancing proxy server.
> *Cause*
> The relevant part of the Kerberos descriptor for Oozie is:
> {code}
>             {
>               "name": "/spnego",
>               "principal": {
>                 "configuration": "oozie-site/oozie.authentication.kerberos.principal"
>               },
>               "keytab": {
>                 "configuration": "oozie-site/oozie.authentication.kerberos.keytab"
>               }
>             }
> {code}
> Because of this, certain Kerberos-related operations (like Regenerate Keytabs) resets
the values of {{oozie-site/oozie.authentication.kerberos.principal}} and {{oozie-site/oozie.authentication.kerberos.keytab}}
to match the principal name and keytab file of the Kerberos identity definition for {{/spnego}}.
> However, in HA, the properties need to be something like:
> {noformat}
> oozie.authentication.kerberos.prinipal= "*"
> oozie.authentication.kerberos.keytab = "/path/to/oozie_ha.keytab"
> {noformat}
> *Solution*
> After enabling HA and either before or after enabling Kerberos, the following {{oozie-site}}
properties may be set:
> * {{oozie.ha.authentication.kerberos.principal}}
> * {{oozie.ha.authentication.kerberos.keytab}}
> If either exist when configuring Oozie, the value of the property will be used to update
the relevant {{oozie.authentication.kerberos.*}} property.
> For example:
> * if {{oozie.ha.authentication.kerberos.principal}} is set, its value will set used to
set {{oozie.authentication.kerberos.principal}}
> * if {{oozie.ha.authentication.kerberos.keytab}} is set, its value will set used to set
{{oozie.authentication.kerberos.keytab}}
> Note: One or both may be set. 
> So even though {{oozie.authentication.kerberos.principal}} will contain a principal name
like {{HTTP/_HOST@SOME.REALM}}, when writing the oozie-site.xml file, the value for {{oozie.authentication.kerberos.principal}}
will be written out as the value set for {{oozie.ha.authentication.kerberos.principal}}, which
would typically be "\*", when HA is enabled for Oozie. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message