Return-Path: 
 <oozie-users-return-662-apmail-incubator-oozie-users-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-oozie-users-archive@minotaur.apache.org
Delivered-To: apmail-incubator-oozie-users-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9A28E9E46
	for <apmail-incubator-oozie-users-archive@minotaur.apache.org>;
 Fri, 20 Apr 2012 16:54:20 +0000 (UTC)
Received: (qmail 86600 invoked by uid 500); 20 Apr 2012 16:54:20 -0000
Delivered-To: apmail-incubator-oozie-users-archive@incubator.apache.org
Received: (qmail 86573 invoked by uid 500); 20 Apr 2012 16:54:20 -0000
Mailing-List: contact oozie-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:oozie-users-help@incubator.apache.org>
List-Unsubscribe: <mailto:oozie-users-unsubscribe@incubator.apache.org>
List-Post: <mailto:oozie-users@incubator.apache.org>
List-Id: <oozie-users.incubator.apache.org>
Reply-To: oozie-users@incubator.apache.org
Delivered-To: mailing list oozie-users@incubator.apache.org
Received: (qmail 86560 invoked by uid 99); 20 Apr 2012 16:54:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Apr 2012 16:54:20 +0000
X-ASF-Spam-Status: No, hits=0.4 required=5.0
	tests=NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: 216.145.54.172 is neither permitted
 nor denied by domain of virag@yahoo-inc.com)
Received: from [216.145.54.172] (HELO mrout2.yahoo.com) (216.145.54.172)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Apr 2012 16:54:12 +0000
Received: from SP2-EX07CAS01.ds.corp.yahoo.com
 (sp2-ex07cas01.corp.sp2.yahoo.com [98.137.59.37])
	by mrout2.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id q3KGrcMx029174;
	Fri, 20 Apr 2012 09:53:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com;
	s=cobra; t=1334940818;
	bh=SK4w5qE8hTTXihNEk9zfBH9pN6L86+huPoqcPzabLIc=;
	h=From:To:Date:Subject:Message-ID:In-Reply-To:Content-Type:
	 Content-Transfer-Encoding:MIME-Version;
	b=T6pYsM58sRGJktW+tn7TwcQ6jQY2n2VW+Brsxrm6e8miiVwyIL40c6DffZZC+UVvs
	 NhOscf5j6Io9qMYqQbveQOXvlxSYx9nWAImw+Oco1QFuffM45VGR7nhXF8rNFa6v69
	 AADMIj8bw2ewng/uV/eIz/vgGMnrhXLyOq9SvVN4=
Received: from SP2-EX07VS08.ds.corp.yahoo.com ([98.137.59.27]) by
 SP2-EX07CAS01.ds.corp.yahoo.com ([98.137.59.37]) with mapi; Fri, 20 Apr 2012
 09:53:38 -0700
From: Virag Kothari <virag@yahoo-inc.com>
To: "oozie-users@incubator.apache.org" <oozie-users@incubator.apache.org>,
        "gsingers@apache.org" <gsingers@apache.org>
Date: Fri, 20 Apr 2012 09:53:35 -0700
Subject: Re: Oozie Security/Impersonation
Thread-Topic: Oozie Security/Impersonation
Thread-Index: Ac0fEoZjSbYSr48BRwKKkKYWGWWYxQAA5mZY
Message-ID: <CBB6E29F.436E%virag@yahoo-inc.com>
In-Reply-To: <06D810B6-5480-4BEF-B665-635D0C3FED3B@apache.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0


Hi Grant,

I think the properties "hadoop.proxyuser.<superuser>.groups" and "
hadoop.proxyuser.<superuser>.hosts" need to be set in core-site.xml.

More at=20
http://hadoop.apache.org/common/docs/current/Secure_Impersonation.html

Also, most probably, wildcards for the above properties are not supported.

Thanks,
Virag

On 4/20/12 9:27 AM, "Grant Ingersoll" <gsingers@apache.org> wrote:

> Hi,
>=20
> I'm trying to get 3.2.0-SNAPSHOT (trunk as of yesterday) to work with Had=
oop
> 1.0.2.  I've got it built, etc. and hooked in the libs for Hadoop.  Howev=
er,
> when I go to submit a workflow, I get
>=20
> 012-04-20 12:24:14,350 ERROR UserGroupInformation:1096 -
> PriviledgedActionException as:hadoop via hadoop
> cause:org.apache.hadoop.ipc.RemoteException: User: hadoop is not allowed =
to
> impersonate hadoop
> 2012-04-20 12:24:14,351  INFO BaseJobServlet:539 - USER[-] GROUP[-] TOKEN=
[-]
> APP[-] JOB[-] ACTION[-] AuthorizationException
> org.apache.oozie.service.AuthorizationException: E0902: Exception occured=
:
> [org.apache.hadoop.ipc.RemoteException: User: hadoop is not allowed to
> impersonate hadoop]
> at=20
> org.apache.oozie.service.AuthorizationService.authorizeForApp(Authorizati=
onSer
> vice.java:360)
> at=20
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobS=
ervle
> t.java:188)
> at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:9=
2)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:=
285)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at=20
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicat=
ionFi
> lterChain.java:290)
> at=20
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilte=
rChai
> n.java:206)
> at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> at=20
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doF=
ilter
> (AuthenticationFilter.java:372)
> at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
>=20
>=20
> I am using the default oozie-site.xml.  I have simple authentication turn=
ed
> on.  I have anonymous users turned on.  Moreover, as you can see by the
> exception, I am running Oozie as the same user as I am running Hadoop.  I=
 have
> tried uncommenting the proxy user in oozie-site.
>=20
> Any thoughts on what I am missing?
>=20
> Thanks,
> Grant
>=20
> PS: bin/oozie-setup.sh doesn't seem to support Hadoop 1.0.x yet, despite =
the
> libraries being in hadooplibs.  The addtowar.sh script rejects the versio=
n.