Hi Everybody, I am trying to get secure impersonation working for an internal job submission UI. I am following the below link and somehow I am not able to get it working
http://yahoo.github.com/hadoop-common/releases/0.20.104.2/Secure_Impersonation.html I have added the following to core-site.xml <property> <name>hadoop.proxyuser.webui-proxyagent.groups</name> <value>technology,research</value> </property> <property> <name>hadoop.proxyuser.webui-proxyagent.hosts</name> <value>10.20.30.40</value> (this is the obfuscated IP address of the host which is running the webui shown in below exception) </property> I have setup the webui-proxyagent and the user it wants to impersonate but it keeps giving this error Error from JobClient org.apache.hadoop.ipc.RemoteException: User: webui-proxyagent is not allowed to impersonate pmustafi at org.apache.hadoop.ipc.Client.call(Client.java:1006) at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:224) at $Proxy1.getProtocolVersion(Unknown Source) at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:364) at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:106) at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:208) at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:175) at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:89) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1310) at org.apache.hadoop.fs.FileSystem.access$100(FileSystem.java:65) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1328) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:226) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:109) .... Error on Namenode 2011-03-24 20:07:18,139 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 8020: readAndProcess threw exception org.apache.hadoop.security.AccessControlException: Connection from 10.20.30.40:60374 for protocol org.apache.hadoop.hdfs.protocol.ClientProtocol is unauthorized for user pmustafi via webui-proxyagent. Count of bytes read: 0 org.apache.hadoop.security.AccessControlException: Connection from 10.110.64.25:60374 for protocol org.apache.hadoop.hdfs.protocol.ClientProtocol is unauthorized for user pmustafi via mobius-proxyagent at org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1283) at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1178) at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:536) at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:343) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) This is the code which returns false causing this exception private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(user, this.getHostAddress(), conf); } authorize(user, header, getHostName()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + header); } rpcMetrics.incrAuthorizationSuccesses(); } catch (AuthorizationException ae) { rpcMetrics.incrAuthorizationFailures(); setupResponse(authFailedResponse, authFailedCall, Status.FATAL, null, ae.getClass().getName(), ae.getMessage()); responder.doRespond(authFailedCall); return false; } return true; } There is very little LOG.debug in the code including ProxyUsers so not sure where things are going wrong. So 1) Is it possible to turn off secure impersonation checking for the time being as we don't have security turned on on our cluster yet? 2) Can you please suggest some debugging options on a semi-live cluster? Am I missing some LOG.debug options which will show in much detail what is going on? Any help greatly appreciated. Regards Priyo
