Falcon is running with Kerberos. The dashboard web UI works fine, but CLI throws errors:
$ falcon entity -type cluster -file primaryCluster-atlanta.xml -submit Error: Bad Request;Invalid Workflow server or port: http://falcon-host:11000/oozie/ oozie.log contains the following exception: 2014-07-01 23:49:57,832 ERROR V2AdminServlet:536 - USER[-] GROUP[-] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[GET http://oozie-host:11000/oozie/v2/admin/status?doAs=veramach&user.name=dm/[email protected]] error, User [dm/[email protected]] not defined as proxyuser java.security.AccessControlException: User [dm/[email protected]] not defined as proxyuser at org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:159) at org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:542) at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:278) at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:384) at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) It seems oozie is looking for a proxy user ‘dm/[email protected]’ instead of ‘dm’ and throwing the exception. The oozie-site.xml contains ‘dm’ (falcon user account) as proxy user: <property> <name>oozie.service.ProxyUserService.proxyuser.dm.hosts</name> <value>falcon-host</value> </property> <property> <name>oozie.service.ProxyUserService.proxyuser.dm.groups</name> <value>users</value> </property> Falcon startup.properties contains the following kerberos principal: *.falcon.authentication.type=kerberos # Indicates the Kerberos principal to be used in Falcon Service. *.falcon.service.authentication.kerberos.principal=dm/[email protected] # Location of the keytab file with the credentials for the Service principal. *.falcon.service.authentication.kerberos.keytab=/export/apps/dm.keytab any idea why oozie is not extracting ‘dm’ as the proxy user from the request, but use ‘dm/[email protected]’ instead? Thanks Venkat
