Non-kerberos and oozie as the effective user is our setup. Does my config not reflect that correctly? The addition of hadoop to the groups was merely for troubleshooting. Although it still does not work without it.
<property> <name>hadoop.proxyuser.oozie. hosts</name> <value><NAME_OF_OOZIE_HOST></value> </property> <property> <name>hadoop.proxyuser.oozie.groups</name> <value>oozie,hadoop</value> </property> Thx. On Fri, Feb 1, 2013 at 10:29 AM, Alejandro Abdelnur <[email protected]>wrote: > Andy, > > Given your configuration: > > If using non-kerberos setup, the username running the oozie server should > be 'oozie'. > If using a kerberos setup, the Kerberos principal running the oozier server > should be 'oozie/<HOST>' > > Is this the case? > > Thx > > > On Fri, Feb 1, 2013 at 10:00 AM, aasfo kxi <[email protected]> wrote: > > > Sorry. Accidentally hit send before pasting my config.... > > > > <property> > > <name>hadoop.proxyuser.oozie.hosts</name> > > <value><NAME_OF_OOZIE_HOST></value> > > </property> > > > > <property> > > <name>hadoop.proxyuser.oozie.groups</name> > > <value>oozie,hadoop</value> > > </property> > > > > Thanks. > > > > Andy > > > > > > On Thu, Jan 31, 2013 at 8:44 PM, Alejandro Abdelnur <[email protected] > > >wrote: > > > > > Hadoop 1.0.4 does not support wildcards '*' in the proxyuser > hosts/groups > > > properties. Starting with Hadoop 1.1.1 this is supported. Hadoop > > > 2.0.2-alpha supports it. > > > > > > You cannot patch Oozie to ignore this. This is on Hadoop side. And it > has > > > its very good reason, is to be able to control who can impersonate > other > > > users (Oozie in this case), from what hostnames the impersonator is > > allowed > > > to impersonate, users in which groups the impersonator can impersonate. > > You > > > have 3 dimensions to control, in development this may be a bit > annoying, > > > but in production it is a must. With the support of wildcards for > > hostnames > > > and groups you must only worry (if you don't care about security) about > > > setting the right properties for the impersonator UID with the > wildcards. > > > > > > Thx > > > > > > > > > On Thu, Jan 31, 2013 at 6:22 PM, Grant Ingersoll <[email protected] > > > >wrote: > > > > > > > What options have you tried? I seem to recall you need some things > on > > > the > > > > Hadoop side, too. FWIW, this is easily the most annoying/confusing > > thing > > > > in Oozie. Sometimes it's simplest to patch the code to turn it off > > > > completely. > > > > > > > > On Jan 31, 2013, at 6:55 PM, aasfo kxi wrote: > > > > > > > > > I am getting conflicting information on the following settings: > > > > > > > > > > hadoop.proxyuser.oozie.hosts > > > > > hadoop.proxyuser.oozie.groups > > > > > > > > > > This thread states that the first is a list of hostnames: > > > > > http://bit.ly/WEeqSn > > > > > This thread states that the first is a list of usernames: > > > > > http://bit.ly/VqUAcU > > > > > > > > > > Neither has worked for me and I am still getting: > > > > > > > > > > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: > > oozie > > > is > > > > > not allowed to impersonate oozie] > > > > > > > > > > No matter what combination of user / hosts / groups, etc that I > try. > > I > > > > am > > > > > unsure as to which one I should be troubleshooting at this point. > > > > > > > > > > Hadoop v.1.0.4 > > > > > Oozie v.3.3.1 > > > > > > > > > > Thanks for any help. > > > > > > > > > > kx > > > > > > > > > > > > > > > > > > > > > -- > > > Alejandro > > > > > > > > > -- > Alejandro >
