---------- Forwarded message ---------
From: rei sivan <rsivan1...@gmail.com>
Date: Wed, 17 Apr 2019, 21:06
Subject: livy impersonation in kerberized cluster
To: <user-i...@livy.incubator.apache.org>


I have a kerberized CDH 6 cluster with active directory.
Livy is installed on an edge node with  HDFS, YARN, and SPARK gateways.
I've created keytabs for both Livy.server.auth\launch  configuration
properties and Livy work as expected. ( create the session with
livy.server.launch principal)
however, when I enable the impersonation I getting the following error when
I'm trying to create a session:
"(org.apache.hadoop.security.authorize.AuthorizationException): user:
livy_app@domain is not allowed to impersonate other-user" ... ERROR
RSCClient:150 - Failed to connect to context.
child process exited with code 1.
at org.apache.livy.rsc.ContextLauncher$ChildProcess$1.run(394)
at org.apache.livy.rsc.ContextLauncher$ChildProcess$2.run(445)
, Although the livy_app user is set in core-site.xml as is should be and
this change has been distributed to all the nodes in the cluster.

<property>
  <name>hadoop.proxyuser.livy_app.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.livy_app.hosts</name>
  <value>*</value>
</property>

 also, the home directory for livy_app exists in HDFS
(i toke these instructions from
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_command-line-installation/content/ch19s06s04.html
and
https://enterprise-docs.anaconda.com/en/latest/admin/advanced/config-livy-server.html
 )
looks like I'm getting token for livy_app(ugi=other-user (auth:PROXY) via
livy_app@domain (auth:KERBEROS))
is anyone encounter this problem?


Thanks,

Reply via email to