---------- Forwarded message --------- From: rei sivan <rsivan1...@gmail.com> Date: Wed, 17 Apr 2019, 21:06 Subject: livy impersonation in kerberized cluster To: <user-i...@livy.incubator.apache.org>
I have a kerberized CDH 6 cluster with active directory. Livy is installed on an edge node with HDFS, YARN, and SPARK gateways. I've created keytabs for both Livy.server.auth\launch configuration properties and Livy work as expected. ( create the session with livy.server.launch principal) however, when I enable the impersonation I getting the following error when I'm trying to create a session: "(org.apache.hadoop.security.authorize.AuthorizationException): user: livy_app@domain is not allowed to impersonate other-user" ... ERROR RSCClient:150 - Failed to connect to context. child process exited with code 1. at org.apache.livy.rsc.ContextLauncher$ChildProcess$1.run(394) at org.apache.livy.rsc.ContextLauncher$ChildProcess$2.run(445) , Although the livy_app user is set in core-site.xml as is should be and this change has been distributed to all the nodes in the cluster. <property> <name>hadoop.proxyuser.livy_app.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.livy_app.hosts</name> <value>*</value> </property> also, the home directory for livy_app exists in HDFS (i toke these instructions from https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_command-line-installation/content/ch19s06s04.html and https://enterprise-docs.anaconda.com/en/latest/admin/advanced/config-livy-server.html ) looks like I'm getting token for livy_app(ugi=other-user (auth:PROXY) via livy_app@domain (auth:KERBEROS)) is anyone encounter this problem? Thanks,