incubator-oozie-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Virag Kothari <vi...@yahoo-inc.com>
Subject Re: Oozie Security/Impersonation
Date Fri, 20 Apr 2012 16:53:35 GMT

Hi Grant,

I think the properties "hadoop.proxyuser.<superuser>.groups" and "
hadoop.proxyuser.<superuser>.hosts" need to be set in core-site.xml.

More at 
http://hadoop.apache.org/common/docs/current/Secure_Impersonation.html

Also, most probably, wildcards for the above properties are not supported.

Thanks,
Virag

On 4/20/12 9:27 AM, "Grant Ingersoll" <gsingers@apache.org> wrote:

> Hi,
> 
> I'm trying to get 3.2.0-SNAPSHOT (trunk as of yesterday) to work with Hadoop
> 1.0.2.  I've got it built, etc. and hooked in the libs for Hadoop.  However,
> when I go to submit a workflow, I get
> 
> 012-04-20 12:24:14,350 ERROR UserGroupInformation:1096 -
> PriviledgedActionException as:hadoop via hadoop
> cause:org.apache.hadoop.ipc.RemoteException: User: hadoop is not allowed to
> impersonate hadoop
> 2012-04-20 12:24:14,351  INFO BaseJobServlet:539 - USER[-] GROUP[-] TOKEN[-]
> APP[-] JOB[-] ACTION[-] AuthorizationException
> org.apache.oozie.service.AuthorizationException: E0902: Exception occured:
> [org.apache.hadoop.ipc.RemoteException: User: hadoop is not allowed to
> impersonate hadoop]
> at 
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationSer
> vice.java:360)
> at 
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServle
> t.java:188)
> at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:285)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
> lterChain.java:290)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
> n.java:206)
> at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter
> (AuthenticationFilter.java:372)
> at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> 
> 
> I am using the default oozie-site.xml.  I have simple authentication turned
> on.  I have anonymous users turned on.  Moreover, as you can see by the
> exception, I am running Oozie as the same user as I am running Hadoop.  I have
> tried uncommenting the proxy user in oozie-site.
> 
> Any thoughts on what I am missing?
> 
> Thanks,
> Grant
> 
> PS: bin/oozie-setup.sh doesn't seem to support Hadoop 1.0.x yet, despite the
> libraries being in hadooplibs.  The addtowar.sh script rejects the version.


Mime
View raw message