Support Questions

zhuw.bigdata · ‎12-21-2016

I am on CDH 5.9.0 and using Cloudera Manager integrated with Active Directory to manage Kerberos ticket automatically. It is great until I am trying to enable Oozie HA via HAProxy.

How could I tell CM to generated HTTP keytab for oozie servers that contains HAProxy principal? I can do it manually. However, with CM Active Directory integration, I can't find a way to do so since I have no control of the keytab locations.

zhuw.bigdata · ‎12-21-2016

Double-checked the KRB tickets, the principal for proxy is not using FQHN. I went back to check the LB configuration and sure it was using short name for the proxy host. Once I switched back, LB web UI comes back fine. Thanks.

View solution in original post

bgooley · ‎12-21-2016

That's great! Nice detective work.

zhuw.bigdata · ‎12-23-2016

Here is the description for the LB:

Address of the load balancer used if Oozie HA is enabled. Should be specified in host:port format.

Could we improve it to "FQHN:port" and ask technical writer to update it? Kerberos only treats FQHN well.

bgooley · ‎12-29-2016

@zhuw.bigdata, I opened two internal Cloudera Jiras to make sure we specify that the fully-qualified domain name be used if Kerberos is enabled in the cluster. One Jira targeted the description in the HA wizard, the other Jira focused on the steps listed in our the documentation.

Thanks for bringing this up!

Cheers,

Ben

Cloudera Community

Support Questions

How to merge oozie HA HTTP keberos principals with Cloudera Manager handling Kerboeros principals