Well, in the interim, your idea of using "core-site" instead of oozie site
makes sense and seems to have fixed things.
I guess I see what is happening: the actual impersonation log is in hadoop,
as opposed to oozie. so now this is making sense... Central to any hadoop
task is authorization, and oozie just leverages that authorization API to
submit tasks as different users.
/**
* Authorize the superuser which is doing doAs
*
* @param user ugi of the effective or proxy user which contains a real user
* @param remoteAddress the ip address of client
* @param newConf configuration
* @throws AuthorizationException
*/
public static synchronized void authorize(UserGroupInformation user,
String remoteAddress,
Configuration newConf) throws AuthorizationException {
....
if (!groupAuthorized) {
throw new AuthorizationException("User: " + superUser.getUserName()
+ " is not allowed to impersonate " + user.getUserName());
}
.....
On Mon, Feb 17, 2014 at 5:56 AM, Jay Vyas <[email protected]> wrote:
> Thanks harsh!
>
> So:
>
> is there a way i can submit jobs without using any impersonation tricks?
>
> The doc you mentioned cites Kerberos as a requirement, and I don't have
> Kerberos enabled on my cluster.... And am willing to forgo security for now.
>
> > On Feb 17, 2014, at 1:45 AM, Harsh J <[email protected]> wrote:
> >
> > Oozie uses Hadoop's impersonation feature documented at
> >
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> .
> > The hadoop.proxyuser configs must reside on the
> > NameNode/JobTracker/ResourceManager core-site.xml to be allowed, and
> > its not an Oozie configuration.
> >
> > In your listing of configs, these appear to be present in
> > oozie-site.xml instead of in Hadoop's configs.
> >
> >> On Mon, Feb 17, 2014 at 10:02 AM, Jay Vyas <[email protected]>
> wrote:
> >> Hi oozie.
> >>
> >> I'm getting a very odd error.
> >> "User: Oozie is not allowed to impersonate tom"
> >>
> >> So to debug, I tried submitting a job as oozie and found:
> >> "User: Oozie is not allowed to impersonate oozie"
> >>
> >> ...
> >>
> >> Is there a way to avoid impersonation entirely oozie, and why should
> oozie
> >> need to impersonate itself? I've seen tthis issue online also
> >>
> http://stackoverflow.com/questions/16831586/oozie-is-not-allowed-to-impersonate-oozie
> ,
> >> and can't seem to find a workaround (have tried using wildcards as
> >> well
> >> as specific values).
> >>
> >>
> >> (ive pasted my configs below, in case anything is useful)
> >>
> >> <configuration>
> >> <property>
> >>
> <name>oozie.service.HadoopAccessorService.hadoop.configurations</name>
> >> <value>*=/etc/hadoop/conf</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.ActionService.executor.ext.classes</name>
> >> <value>
> >> org.apache.oozie.action.email.EmailActionExecutor,
> >> org.apache.oozie.action.hadoop.HiveActionExecutor,
> >> org.apache.oozie.action.hadoop.ShellActionExecutor,
> >> org.apache.oozie.action.hadoop.SqoopActionExecutor,
> >> org.apache.oozie.action.hadoop.DistcpActionExecutor</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.JPAService.jdbc.url</name>
> >> <value>jdbc:derby:${oozie.data.dir}/${oozie.db.schema.name
> >> }-db;create=true</value>
> >> </property>
> >> <property>
> >> <name>oozie.services</name>
> >> <value>
> >> org.apache.oozie.service.SchedulerService,
> >> org.apache.oozie.service.InstrumentationService,
> >> org.apache.oozie.service.CallableQueueService,
> >> org.apache.oozie.service.UUIDService,
> >> org.apache.oozie.service.ELService,
> >> org.apache.oozie.service.AuthorizationService,
> >> org.apache.oozie.service.UserGroupInformationService,
> >> org.apache.oozie.service.HadoopAccessorService,
> >> org.apache.oozie.service.URIHandlerService,
> >> org.apache.oozie.service.MemoryLocksService,
> >> org.apache.oozie.service.DagXLogInfoService,
> >> org.apache.oozie.service.SchemaService,
> >> org.apache.oozie.service.LiteWorkflowAppService,
> >> org.apache.oozie.service.JPAService,
> >> org.apache.oozie.service.StoreService,
> >> org.apache.oozie.service.CoordinatorStoreService,
> >> org.apache.oozie.service.SLAStoreService,
> >> org.apache.oozie.service.DBLiteWorkflowStoreService,
> >> org.apache.oozie.service.CallbackService,
> >> org.apache.oozie.service.ActionService,
> >> org.apache.oozie.service.ActionCheckerService,
> >> org.apache.oozie.service.RecoveryService,
> >> org.apache.oozie.service.PurgeService,
> >> org.apache.oozie.service.CoordinatorEngineService,
> >> org.apache.oozie.service.BundleEngineService,
> >> org.apache.oozie.service.DagEngineService,
> >> org.apache.oozie.service.CoordMaterializeTriggerService,
> >> org.apache.oozie.service.StatusTransitService,
> >> org.apache.oozie.service.PauseTransitService,
> >> org.apache.oozie.service.GroupsService,
> >> org.apache.oozie.service.ProxyUserService</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.WorkflowAppService.system.libpath</name>
> >> <value>/user/${user.name}/share/lib</value>
> >> </property>
> >> <property>
> >> <name>hadoop.proxyuser.oozie.hosts</name>
> >> <value>localhost</value>
> >> </property>
> >> <property>
> >> <name>oozie.services.ext</name>
> >>
> >>
> <value>org.apache.oozie.service.PartitionDependencyManagerService,org.apache.oozie.service.HCatAccessorService</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.coord.push.check.requeue.interval</name>
> >> <value>30000</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.SchemaService.wf.ext.schemas</name>
> >>
> >>
> <value>shell-action-0.1.xsd,email-action-0.1.xsd,hive-action-0.2.xsd,sqoop-action-0.2.xsd,ssh-action-0.1.xsd,distcp-action-0.1.xsd,shell-action-0.2.xsd,oozie-sla-0.1.xsd,oozie-sla-0.2.xsd</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.JPAService.pool.max.active.conn</name>
> >> <value>10</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.CallableQueueService.callable.concurrency</name>
> >> <value>3</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.JPAService.jdbc.username</name>
> >> <value>oozie</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.AuthorizationService.security.enabled</name>
> >> <value>false</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.CallableQueueService.threads</name>
> >> <value>10</value>
> >> </property>
> >> <property>
> >> <name>oozie.authentication.type</name>
> >> <value>simple</value>
> >> </property>
> >> <property>
> >> <name>use.system.libpath.for.mapreduce.and.pig.jobs</name>
> >> <value>false</value>
> >> </property>
> >> <property>
> >> <name>hadoop.proxyuser.oozie.groups</name>
> >> <value>tom,oozie,root,sally</value>
> >> </property>
> >> <property>
> >> <name>oozie.db.schema.name</name>
> >> <value>oozie</value>
> >> </property>
> >> <property>
> >> <name>oozie.authentication.kerberos.name.rules</name>
> >> <value>
> >> RULE:[2:$1@$0]([jt]t@
> .*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
> >> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> >> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> >> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> >> DEFAULT</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.URIHandlerService.uri.handlers</name>
> >>
> >>
> <value>org.apache.oozie.dependency.FSURIHandler,org.apache.oozie.dependency.HCatURIHandler</value>
> >> </property>
> >> <property>
> >>
> <name>oozie.service.HadoopAccessorService.supported.filesystems</name>
> >> <value>glusterfs</value>
> >> </property>
> >> <property>
> >> <name>oozie.base.url</name>
> >> <value>http://mrg42.lab.bos.redhat.com:11000/oozie</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.JPAService.jdbc.driver</name>
> >> <value>org.apache.derby.jdbc.EmbeddedDriver</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.JPAService.create.db.schema</name>
> >> <value>false</value>
> >> </property>
> >> <property>
> >> <name>oozie.system.id</name>
> >> <value>oozie-${user.name}</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.coord.normal.default.timeout</name>
> >> <value>120</value>
> >> </property>
> >> <property>
> >> <name>oozie.credentials.credentialclasses</name>
> >> <value>hcat=org.apache.oozie.action.hadoop.HCatCredentials</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.CallableQueueService.queue.size</name>
> >> <value>1000</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.JPAService.jdbc.password</name>
> >> <value>admin</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.HadoopAccessorService.nameNode.whitelist</name>
> >> <value> </value>
> >> </property>
> >> <property>
> >> <name>oozie.service.PurgeService.older.than</name>
> >> <value>30</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.HadoopAccessorService.jobTracker.whitelist</name>
> >> <value> </value>
> >> </property>
> >> <property>
> >> <name>oozie.systemmode</name>
> >> <value>NORMAL</value>
> >> </property>
> >> <property>
> >> <name>oozie.service.PurgeService.purge.interval</name>
> >> <value>3600</value>
> >> </property>
> >>
> >>
> >>
> >> --
> >> Jay Vyas
> >> http://jayunit100.blogspot.com
> >
> >
> >
> > --
> > Harsh J
>
--
Jay Vyas
http://jayunit100.blogspot.com
