Oozie uses Hadoop's impersonation feature documented at https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html. The hadoop.proxyuser configs must reside on the NameNode/JobTracker/ResourceManager core-site.xml to be allowed, and its not an Oozie configuration.
In your listing of configs, these appear to be present in oozie-site.xml instead of in Hadoop's configs. On Mon, Feb 17, 2014 at 10:02 AM, Jay Vyas <[email protected]> wrote: > Hi oozie. > > I'm getting a very odd error. > "User: Oozie is not allowed to impersonate tom" > > So to debug, I tried submitting a job as oozie and found: > "User: Oozie is not allowed to impersonate oozie" > > ... > > Is there a way to avoid impersonation entirely oozie, and why should oozie > need to impersonate itself? I've seen tthis issue online also > http://stackoverflow.com/questions/16831586/oozie-is-not-allowed-to-impersonate-oozie, > and can't seem to find a workaround (have tried using wildcards as > well > as specific values). > > > (ive pasted my configs below, in case anything is useful) > > <configuration> > <property> > <name>oozie.service.HadoopAccessorService.hadoop.configurations</name> > <value>*=/etc/hadoop/conf</value> > </property> > <property> > <name>oozie.service.ActionService.executor.ext.classes</name> > <value> > org.apache.oozie.action.email.EmailActionExecutor, > org.apache.oozie.action.hadoop.HiveActionExecutor, > org.apache.oozie.action.hadoop.ShellActionExecutor, > org.apache.oozie.action.hadoop.SqoopActionExecutor, > org.apache.oozie.action.hadoop.DistcpActionExecutor</value> > </property> > <property> > <name>oozie.service.JPAService.jdbc.url</name> > <value>jdbc:derby:${oozie.data.dir}/${oozie.db.schema.name > }-db;create=true</value> > </property> > <property> > <name>oozie.services</name> > <value> > org.apache.oozie.service.SchedulerService, > org.apache.oozie.service.InstrumentationService, > org.apache.oozie.service.CallableQueueService, > org.apache.oozie.service.UUIDService, > org.apache.oozie.service.ELService, > org.apache.oozie.service.AuthorizationService, > org.apache.oozie.service.UserGroupInformationService, > org.apache.oozie.service.HadoopAccessorService, > org.apache.oozie.service.URIHandlerService, > org.apache.oozie.service.MemoryLocksService, > org.apache.oozie.service.DagXLogInfoService, > org.apache.oozie.service.SchemaService, > org.apache.oozie.service.LiteWorkflowAppService, > org.apache.oozie.service.JPAService, > org.apache.oozie.service.StoreService, > org.apache.oozie.service.CoordinatorStoreService, > org.apache.oozie.service.SLAStoreService, > org.apache.oozie.service.DBLiteWorkflowStoreService, > org.apache.oozie.service.CallbackService, > org.apache.oozie.service.ActionService, > org.apache.oozie.service.ActionCheckerService, > org.apache.oozie.service.RecoveryService, > org.apache.oozie.service.PurgeService, > org.apache.oozie.service.CoordinatorEngineService, > org.apache.oozie.service.BundleEngineService, > org.apache.oozie.service.DagEngineService, > org.apache.oozie.service.CoordMaterializeTriggerService, > org.apache.oozie.service.StatusTransitService, > org.apache.oozie.service.PauseTransitService, > org.apache.oozie.service.GroupsService, > org.apache.oozie.service.ProxyUserService</value> > </property> > <property> > <name>oozie.service.WorkflowAppService.system.libpath</name> > <value>/user/${user.name}/share/lib</value> > </property> > <property> > <name>hadoop.proxyuser.oozie.hosts</name> > <value>localhost</value> > </property> > <property> > <name>oozie.services.ext</name> > > <value>org.apache.oozie.service.PartitionDependencyManagerService,org.apache.oozie.service.HCatAccessorService</value> > </property> > <property> > <name>oozie.service.coord.push.check.requeue.interval</name> > <value>30000</value> > </property> > <property> > <name>oozie.service.SchemaService.wf.ext.schemas</name> > > <value>shell-action-0.1.xsd,email-action-0.1.xsd,hive-action-0.2.xsd,sqoop-action-0.2.xsd,ssh-action-0.1.xsd,distcp-action-0.1.xsd,shell-action-0.2.xsd,oozie-sla-0.1.xsd,oozie-sla-0.2.xsd</value> > </property> > <property> > <name>oozie.service.JPAService.pool.max.active.conn</name> > <value>10</value> > </property> > <property> > <name>oozie.service.CallableQueueService.callable.concurrency</name> > <value>3</value> > </property> > <property> > <name>oozie.service.JPAService.jdbc.username</name> > <value>oozie</value> > </property> > <property> > <name>oozie.service.AuthorizationService.security.enabled</name> > <value>false</value> > </property> > <property> > <name>oozie.service.CallableQueueService.threads</name> > <value>10</value> > </property> > <property> > <name>oozie.authentication.type</name> > <value>simple</value> > </property> > <property> > <name>use.system.libpath.for.mapreduce.and.pig.jobs</name> > <value>false</value> > </property> > <property> > <name>hadoop.proxyuser.oozie.groups</name> > <value>tom,oozie,root,sally</value> > </property> > <property> > <name>oozie.db.schema.name</name> > <value>oozie</value> > </property> > <property> > <name>oozie.authentication.kerberos.name.rules</name> > <value> > RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/ > RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/ > RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/ > RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/ > DEFAULT</value> > </property> > <property> > <name>oozie.service.URIHandlerService.uri.handlers</name> > > <value>org.apache.oozie.dependency.FSURIHandler,org.apache.oozie.dependency.HCatURIHandler</value> > </property> > <property> > <name>oozie.service.HadoopAccessorService.supported.filesystems</name> > <value>glusterfs</value> > </property> > <property> > <name>oozie.base.url</name> > <value>http://mrg42.lab.bos.redhat.com:11000/oozie</value> > </property> > <property> > <name>oozie.service.JPAService.jdbc.driver</name> > <value>org.apache.derby.jdbc.EmbeddedDriver</value> > </property> > <property> > <name>oozie.service.JPAService.create.db.schema</name> > <value>false</value> > </property> > <property> > <name>oozie.system.id</name> > <value>oozie-${user.name}</value> > </property> > <property> > <name>oozie.service.coord.normal.default.timeout</name> > <value>120</value> > </property> > <property> > <name>oozie.credentials.credentialclasses</name> > <value>hcat=org.apache.oozie.action.hadoop.HCatCredentials</value> > </property> > <property> > <name>oozie.service.CallableQueueService.queue.size</name> > <value>1000</value> > </property> > <property> > <name>oozie.service.JPAService.jdbc.password</name> > <value>admin</value> > </property> > <property> > <name>oozie.service.HadoopAccessorService.nameNode.whitelist</name> > <value> </value> > </property> > <property> > <name>oozie.service.PurgeService.older.than</name> > <value>30</value> > </property> > <property> > <name>oozie.service.HadoopAccessorService.jobTracker.whitelist</name> > <value> </value> > </property> > <property> > <name>oozie.systemmode</name> > <value>NORMAL</value> > </property> > <property> > <name>oozie.service.PurgeService.purge.interval</name> > <value>3600</value> > </property> > > > > -- > Jay Vyas > http://jayunit100.blogspot.com -- Harsh J
