incubator-oozie-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alejandro Abdelnur <t...@cloudera.com>
Subject Re: Oozie Security/Impersonation
Date Fri, 20 Apr 2012 16:53:34 GMT
Grant,

You have to configure your Hadoop cluster with proxyuser for the hadoop
user.

In the Hadoop core-site.xml files in your cluster (NN & JT), you have to
add:

  <!-- OOZIE -->
  <property>
    <name>hadoop.proxyuser.OOZIE_SERVER_USER.hosts</name>
    <value>OOZIE_HOSTNAME</value>
  </property>
  <property>
    <name>hadoop.proxyuser.OOZIE_SERVER_USER.groups</name>
    <value>USER_GROUPS_THAT_ALLOW_IMPERSONATION</value>
  </property>

you'll have to replace the capital letters sections with your specific
values then you'll have to restart hadoop

Thxs.

Alejandro

On Fri, Apr 20, 2012 at 9:27 AM, Grant Ingersoll <gsingers@apache.org>wrote:

> Hi,
>
> I'm trying to get 3.2.0-SNAPSHOT (trunk as of yesterday) to work with
> Hadoop 1.0.2.  I've got it built, etc. and hooked in the libs for Hadoop.
>  However, when I go to submit a workflow, I get
>
> 012-04-20 12:24:14,350 ERROR UserGroupInformation:1096 -
> PriviledgedActionException as:hadoop via hadoop
> cause:org.apache.hadoop.ipc.RemoteException: User: hadoop is not allowed to
> impersonate hadoop
> 2012-04-20 12:24:14,351  INFO BaseJobServlet:539 - USER[-] GROUP[-]
> TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException
> org.apache.oozie.service.AuthorizationException: E0902: Exception occured:
> [org.apache.hadoop.ipc.RemoteException: User: hadoop is not allowed to
> impersonate hadoop]
>        at
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:360)
>        at
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
>        at
> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>        at
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:285)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
>        at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
>        at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
>
>
> I am using the default oozie-site.xml.  I have simple authentication
> turned on.  I have anonymous users turned on.  Moreover, as you can see by
> the exception, I am running Oozie as the same user as I am running Hadoop.
>  I have tried uncommenting the proxy user in oozie-site.
>
> Any thoughts on what I am missing?
>
> Thanks,
> Grant
>
> PS: bin/oozie-setup.sh doesn't seem to support Hadoop 1.0.x yet, despite
> the libraries being in hadooplibs.  The addtowar.sh script rejects the
> version.




-- 
Alejandro

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message