Andy, Does the oozie user belong to the oozie group in the JT and NN hosts?
On Fri, Feb 1, 2013 at 10:42 AM, aasfo kxi <[email protected]> wrote: > Non-kerberos and oozie as the effective user is our setup. > > Does my config not reflect that correctly? The addition of hadoop to the > groups was merely for troubleshooting. Although it still does not work > without it. > > <property> > <name>hadoop.proxyuser.oozie. > hosts</name> > <value><NAME_OF_OOZIE_HOST></value> > </property> > > <property> > <name>hadoop.proxyuser.oozie.groups</name> > <value>oozie,hadoop</value> > </property> > > Thx. > > > > On Fri, Feb 1, 2013 at 10:29 AM, Alejandro Abdelnur <[email protected] > >wrote: > > > Andy, > > > > Given your configuration: > > > > If using non-kerberos setup, the username running the oozie server should > > be 'oozie'. > > > If using a kerberos setup, the Kerberos principal running the oozier server > > should be 'oozie/<HOST>' > > > > Is this the case? > > > > Thx > > > > > > On Fri, Feb 1, 2013 at 10:00 AM, aasfo kxi <[email protected]> wrote: > > > > > Sorry. Accidentally hit send before pasting my config.... > > > > > > <property> > > > <name>hadoop.proxyuser.oozie.hosts</name> > > > <value><NAME_OF_OOZIE_HOST></value> > > > </property> > > > > > > <property> > > > <name>hadoop.proxyuser.oozie.groups</name> > > > <value>oozie,hadoop</value> > > > </property> > > > > > > Thanks. > > > > > > Andy > > > > > > > > > On Thu, Jan 31, 2013 at 8:44 PM, Alejandro Abdelnur <[email protected] > > > >wrote: > > > > > > > Hadoop 1.0.4 does not support wildcards '*' in the proxyuser > > hosts/groups > > > > properties. Starting with Hadoop 1.1.1 this is supported. Hadoop > > > > 2.0.2-alpha supports it. > > > > > > > > You cannot patch Oozie to ignore this. This is on Hadoop side. And it > > has > > > > its very good reason, is to be able to control who can impersonate > > other > > > > users (Oozie in this case), from what hostnames the impersonator is > > > allowed > > > > to impersonate, users in which groups the impersonator can > impersonate. > > > You > > > > have 3 dimensions to control, in development this may be a bit > > annoying, > > > > but in production it is a must. With the support of wildcards for > > > hostnames > > > > and groups you must only worry (if you don't care about security) > about > > > > setting the right properties for the impersonator UID with the > > wildcards. > > > > > > > > Thx > > > > > > > > > > > > On Thu, Jan 31, 2013 at 6:22 PM, Grant Ingersoll < > [email protected] > > > > >wrote: > > > > > > > > > What options have you tried? I seem to recall you need some things > > on > > > > the > > > > > Hadoop side, too. FWIW, this is easily the most annoying/confusing > > > thing > > > > > in Oozie. Sometimes it's simplest to patch the code to turn it off > > > > > completely. > > > > > > > > > > On Jan 31, 2013, at 6:55 PM, aasfo kxi wrote: > > > > > > > > > > > I am getting conflicting information on the following settings: > > > > > > > > > > > > hadoop.proxyuser.oozie.hosts > > > > > > hadoop.proxyuser.oozie.groups > > > > > > > > > > > > This thread states that the first is a list of hostnames: > > > > > > http://bit.ly/WEeqSn > > > > > > This thread states that the first is a list of usernames: > > > > > > http://bit.ly/VqUAcU > > > > > > > > > > > > Neither has worked for me and I am still getting: > > > > > > > > > > > > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: > > > oozie > > > > is > > > > > > not allowed to impersonate oozie] > > > > > > > > > > > > No matter what combination of user / hosts / groups, etc that I > > try. > > > I > > > > > am > > > > > > unsure as to which one I should be troubleshooting at this point. > > > > > > > > > > > > Hadoop v.1.0.4 > > > > > > Oozie v.3.3.1 > > > > > > > > > > > > Thanks for any help. > > > > > > > > > > > > kx > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Alejandro > > > > > > > > > > > > > > > -- > > Alejandro > > > -- Alejandro
