This is a deep issue. I knew about this in the back of my mind, but put it on the back-burner because of more pressing tasks.
Client (the usual kerberos authenticated one) talks to RM (for submitting apps and getting application-status), gets a client-token which it then uses to connect to the AM, and the finally connects to the JobHistoryServer to obtain the status when the job completes.
To make oozie work (i.e. making a client that isn't kerberos authenticated), we need the following:
- To communicate to the RM, RM needs to support ApplicationDelegationTokens which the JobClient should then propagate to the Oozie action.
- To communicate to the AM, the present day client-token generated and given to the client by the RM should suffice.
- To communicate to the JobHistory server, again we need some delegation token. I guess we can use the mapreduce JobToken itself but AM somehow needs to let the JHS know about it - through JobHistory file, or a direct communication protocol.
We should perhaps split it into two separate tickets.
Modifying title to reflect the issues here.
I really am not sure about the timelines for fixing all this, but setting 0.23.1 tentatively.