yep. hadoop 1.0.x does not support wildcards for proxyuser settings Alejandro
On Nov 8, 2012, at 12:19 PM, Saiph Kappa <[email protected]> wrote: > Actually I solved this by not using '*' thereby replacing by localhost and > a group which my user belongs to. > > On Thu, Nov 8, 2012 at 7:31 PM, Saiph Kappa <[email protected]> wrote: > >> Here goes my logs: >> >> oozie.log >> >> 2012-11-08 17:42:16,603 INFO org.apache.hadoop.ipc.Server: IPC Server >> listener on 9000: readAndProcess threw exception >> org.apache.hadoop.security.AccessControlException: Connection from >> 127.0.0.1:39171 for protocol >> org.apache.hadoop.hdfs.protocol.ClientProtocol is unauthorized for user >> saiph via saiph. Count of bytes read: 0 >> org.apache.hadoop.security.AccessControlException: Connection from >> 127.0.0.1:39171 for protocol >> org.apache.hadoop.hdfs.protocol.ClientProtocol is unauthorized for user >> saiph via saiph >> at >> org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1287) >> at >> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1182) >> at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537) >> at >> org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> at java.lang.Thread.run(Thread.java:662) >> >> hadoop-namenode.log >> >> 2012-11-08 17:42:16,606 ERROR UserGroupInformation:1096 - >> PriviledgedActionException as:saiph via saiph >> cause:org.apache.hadoop.ipc.RemoteException: User: saiph is not allowed to >> impersonate saiph >> 2012-11-08 17:42:16,606 INFO BaseJobServlet:539 - USER[saiph] GROUP[-] >> TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException >> org.apache.oozie.service.AuthorizationException: E0902: Exception occured: >> [org.apache.hadoop.ipc.RemoteException: User: saiph is not allowed to >> impersonate saiph] >> at >> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:360) >> at >> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) >> at >> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) >> at >> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:285) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) >> at >> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) >> at >> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.oozie.servlet.HostnameFilter.doFilter(HostnameFilter.java:67) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >> at java.lang.Thread.run(Thread.java:679) >> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: >> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: saiph is >> not allowed to impersonate saiph] >> at >> org.apache.oozie.service.HadoopAccessorService.createFileSystem(HadoopAccessorService.java:393) >> at >> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:325) >> ... 25 more >> >> >> On Thu, Nov 8, 2012 at 6:48 PM, Harish Krishnan < >> [email protected]> wrote: >> >>> Hi, >>> >>> I tried this on Oozie 3.3 and I'm hitting this issue as well. >>> I'm using hadoop-1.0.4. This is my core-site.xml contents. biadmin is >>> superuser. I installed both hadoop and Oozie as biadmin >>> >>> >>> <!-- OOZIE --> >>> <property> >>> <name>hadoop.proxyuser.biadmin.hosts</name> >>> <value>*</value> >>> </property> >>> <property> >>> <name>hadoop.proxyuser.biadmin.groups</name> >>> <value>*</value> >>> </property> >>> <property> >>> <name>hadoop.proxyuser.oozie.hosts</name> >>> <value>*</value> >>> </property> >>> <property> >>> <name>hadoop.proxyuser.oozie.groups</name> >>> <value>*</value> >>> </property> >>> >>> And this is the exception that I see from the hadoop logs >>> >>> 2012-11-08 10:29:57,332 INFO org.apache.hadoop.ipc.Server: IPC Server >>> listener on 9000: readAndProcess threw exception >>> org.apache.hadoop.security.AccessControlException: Connection from >>> 127.0.0.1:34272 for protocol >>> org.apache.hadoop.hdfs.protocol.ClientProtocol >>> is unauthorized for user biadmin via biadmin. Count of bytes read: 0 >>> org.apache.hadoop.security.AccessControlException: Connection from >>> 127.0.0.1:34272 for protocol >>> org.apache.hadoop.hdfs.protocol.ClientProtocol >>> is unauthorized for user biadmin via biadmin >>> at >>> org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1287) >>> at >>> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1182) >>> at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537) >>> at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344) >>> at >>> >>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >>> at >>> >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >>> at java.lang.Thread.run(Thread.java:662) >>> >>> >>> >>> Thanks & Regards, >>> Harish.T.K >>> >>> >>> On Wed, Nov 7, 2012 at 6:04 PM, Saiph Kappa <[email protected]> >>> wrote: >>> >>>> saiph is a superuser yes. I built oozie with that user, and oozie is >>>> currently running with that user also. But I'm unable to run the >>> examples, >>>> e.g.: /oozie-3.2.0-distro$ bin/oozie job -oozie >>>> http://localhost:11000/oozie-config >>>> examples/apps/java-main/job.properties -run >>>> Error: E0902 : E0902: Exception occured: >>>> [org.apache.hadoop.ipc.RemoteException: User: saiph is not allowed to >>>> impersonate saiph] >>>> >>>> Also tried to run the above command with sudo, obtaining the following >>>> error: >>>> Error: E0902 : E0902: Exception occured: >>>> [org.apache.hadoop.ipc.RemoteException: User: saiph is not allowed to >>>> impersonate root] >>>> >>>> Thanks/Regards. >>>> >>>> On Thu, Nov 8, 2012 at 1:44 AM, Harish Krishnan < >>>> [email protected] >>>>> wrote: >>>> >>>>> Is saiph a superuser? >>>>> >>>>> Thanks & Regards, >>>>> Harish.T.K >>>>> >>>>> >>>>> On Wed, Nov 7, 2012 at 5:41 PM, Saiph Kappa <[email protected]> >>>> wrote: >>>>> >>>>>> Correction: >>>>>> >>>>>> <property> >>>>>> <name>hadoop.proxyuser.saiph.hosts</name> >>>>>> <value>*</value> >>>>>> </property> >>>>>> <property> >>>>>> <name>hadoop.proxyuser.saiph.groups</name> >>>>>> <value>*</value> >>>>>> </property> >>>>>> >>>>>> >>>>>> On Thu, Nov 8, 2012 at 1:40 AM, Saiph Kappa <[email protected]> >>>>> wrote: >>>>>> >>>>>>> Sorry, I already did that in core-site.xml: >>>>>>> >>>>>>> <property> >>>>>>> <name>hadoop.proxyuser.sesteves.hosts</name> >>>>>>> <value>*</value> >>>>>>> </property> >>>>>>> <property> >>>>>>> <name>hadoop.proxyuser.sesteves.groups</name> >>>>>>> <value>*</value> >>>>>>> </property> >>>>>>> >>>>>>> But the error persists. >>>>>>> >>>>>>> On Thu, Nov 8, 2012 at 1:22 AM, Roman Shaposhnik < >>>> [email protected] >>>>>>> wrote: >>>>>>> >>>>>>>> On Wed, Nov 7, 2012 at 5:11 PM, Saiph Kappa < >>> [email protected]> >>>>>>>> wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I've downloaded the last stable oozie release (3.2.0). It >>> brings >>>>>>>>> hadoop libs upto version 1.0.1, but that release is not >>> available >>>>> from >>>>>>>>> the hadoop repositories (just the 1.0.4). So I tried running >>>> hadoop >>>>>>>>> 1.0.4 with oozie and, besides performing all the proxy >>>>> configurations >>>>>>>>> to the oozie user (in core-site.xml), I still got the following >>>>> error >>>>>>>>> while trying to run the examples: >>>>>>>>> «Error: E0902 :E0902: Exception >>>>>>>>> occured:[org.apache.hadoop.ipc.RemoteException: User: saiph is >>> not >>>>>>>>> allowed to impersonate saiph]» >>>>>>>>> >>>>>>>>> Any idea of what could be wrong? >>>>>>>> >>>>>>>> Yes. You need to setup proxy users on the hadoop side: >>>>>>>> >>>>>>>> http://hadoop.apache.org/docs/stable/Secure_Impersonation.html >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Roman. >> >>
