Re: Oozie throws “user not defined as proxy user” exception

[Shwetha GS]

This config should work:
<property>
        <name>oozie.service.ProxyUserService.proxyuser.dm.hosts
<http://oozie.service.proxyuserservice.proxyuser.dm/falcon-h...@grid.example.com.hosts>
</name>
        <value>*</value>
    </property>
    <property>
        <name>oozie.service.ProxyUserService.proxyuser.dm.groups
<http://oozie.service.proxyuserservice.proxyuser.dm/falcon-h...@grid.example.com.groups>
</name>
        <value>*</value>
    </property>


On Tue, Jul 1, 2014 at 10:40 PM, Venkat R <verama...@yahoo.com.invalid>
wrote:

> For now, I modified oozie-site.xml as below (weird, but works)
>
>   <property>
>         <name>
> oozie.service.ProxyUserService.proxyuser.dm/falcon-h...@grid.example.com.hosts
> </name>
>         <value>falcon-host</value>
>     </property>
>     <property>
>         <name>
> oozie.service.ProxyUserService.proxyuser.dm/falcon-h...@grid.example.com.groups
> </name>
>         <value>users</value>
>     </property>
>
>
> On Tuesday, July 1, 2014 6:24 PM, Venkat R <verama...@yahoo.com.INVALID>
> wrote:
>
>
>
> Falcon is running with Kerberos. The dashboard web UI works fine, but CLI
> throws errors:
>
> $ falcon entity -type cluster -file primaryCluster-atlanta.xml -submit
> Error: Bad Request;Invalid Workflow server or port:
> http://falcon-host:11000/oozie/
>
> oozie.log contains the following exception:
>
> 2014-07-01 23:49:57,832 ERROR V2AdminServlet:536 - USER[-] GROUP[-]
> TOKEN[-] APP[-] JOB[-] ACTION[-] URL[GET
> http://oozie-host:11000/oozie/v2/admin/status?doAs=veramach&user.name=dm/falcon-h...@grid.example.com]
> error, User [dm/falcon-h...@grid.example.com] not defined as proxyuser
>
> java.security.AccessControlException: User [dm/
> falcon-h...@grid.example.com] not defined as proxyuser
>         at
> org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:159)
>         at
> org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:542)
>         at
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:278)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at
> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
>         at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:384)
>         at
> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> It seems oozie is looking for a proxy user ‘dm/
> falcon-h...@grid.example.com’ instead of ‘dm’ and throwing the exception.
>
> The oozie-site.xml contains ‘dm’ (falcon user account) as proxy user:
>
>    <property>
>         <name>oozie.service.ProxyUserService.proxyuser.dm.hosts</name>
>         <value>falcon-host</value>
>     </property>
>     <property>
>         <name>oozie.service.ProxyUserService.proxyuser.dm.groups</name>
>         <value>users</value>
>     </property>
>
> Falcon startup.properties contains the following kerberos principal:
>
> *.falcon.authentication.type=kerberos
> # Indicates the Kerberos principal to be used in Falcon Service.
> *.falcon.service.authentication.kerberos.principal=dm/
> falcon-h...@grid.example.com
> # Location of the keytab file with the credentials for the Service
> principal.
> *.falcon.service.authentication.kerberos.keytab=/export/apps/dm.keytab
>
> any idea why oozie is not extracting ‘dm’ as the proxy user from the
> request, but use ‘dm/falcon-h...@grid.example.com’ instead?
>
> Thanks
> Venkat
>

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.