falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Venkat R <verama...@yahoo.com.INVALID>
Subject Oozie throws “user not defined as proxy user” exception
Date Wed, 02 Jul 2014 01:24:01 GMT
Falcon is running with Kerberos. The dashboard web UI works fine, but CLI throws errors:

$ falcon entity -type cluster -file primaryCluster-atlanta.xml -submit
Error: Bad Request;Invalid Workflow server or port: http://falcon-host:11000/oozie/

oozie.log contains the following exception:

2014-07-01 23:49:57,832 ERROR V2AdminServlet:536 - USER[-] GROUP[-] TOKEN[-] APP[-] JOB[-]
ACTION[-] URL[GET http://oozie-host:11000/oozie/v2/admin/status?doAs=veramach&user.name=dm/falcon-host@GRID.EXAMPLE.COM]
error, User [dm/falcon-host@GRID.EXAMPLE.COM] not defined as proxyuser

java.security.AccessControlException: User [dm/falcon-host@GRID.EXAMPLE.COM] not defined as
proxyuser
        at org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:159)
        at org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:542)
        at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:278)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:384)
        at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  
It seems oozie is looking for a proxy user ‘dm/falcon-host@GRID.EXAMPLE.COM’ instead of
‘dm’ and throwing the exception. 

The oozie-site.xml contains ‘dm’ (falcon user account) as proxy user:

   <property>
        <name>oozie.service.ProxyUserService.proxyuser.dm.hosts</name>
        <value>falcon-host</value>
    </property>
    <property>
        <name>oozie.service.ProxyUserService.proxyuser.dm.groups</name>
        <value>users</value>
    </property>

Falcon startup.properties contains the following kerberos principal:

*.falcon.authentication.type=kerberos
# Indicates the Kerberos principal to be used in Falcon Service.
*.falcon.service.authentication.kerberos.principal=dm/falcon-host@GRID.EXAMPLE.COM
# Location of the keytab file with the credentials for the Service principal.
*.falcon.service.authentication.kerberos.keytab=/export/apps/dm.keytab

any idea why oozie is not extracting ‘dm’ as the proxy user from the request, but use
‘dm/falcon-host@GRID.EXAMPLE.COM’ instead?

Thanks
Venkat

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message