Hi, On Mon, Feb 17, 2014 at 4:26 PM, Jay Vyas <[email protected]> wrote: > Thanks harsh! > > So: > > is there a way i can submit jobs without using any impersonation tricks?
I don't think the default hadoop accessor service in Oozie allows for a non-impersonated submission, but I suppose one can be written to deal without it (although I've not seen need for such a thing). > The doc you mentioned cites Kerberos as a requirement, and I don't have > Kerberos enabled on my cluster.... And am willing to forgo security for now. The kerberos requirement is to be taken in context vs. delegation tokens, i.e. "The superuser must have kerberos credentials to be able to impersonate another user. It cannot use delegation tokens for this feature." - a delegation token using program cannot further impersonate, or to say, the impersonated user cannot further impersonate others. >> On Feb 17, 2014, at 1:45 AM, Harsh J <[email protected]> wrote: >> >> Oozie uses Hadoop's impersonation feature documented at >> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html. >> The hadoop.proxyuser configs must reside on the >> NameNode/JobTracker/ResourceManager core-site.xml to be allowed, and >> its not an Oozie configuration. >> >> In your listing of configs, these appear to be present in >> oozie-site.xml instead of in Hadoop's configs. >> >>> On Mon, Feb 17, 2014 at 10:02 AM, Jay Vyas <[email protected]> wrote: >>> Hi oozie. >>> >>> I'm getting a very odd error. >>> "User: Oozie is not allowed to impersonate tom" >>> >>> So to debug, I tried submitting a job as oozie and found: >>> "User: Oozie is not allowed to impersonate oozie" >>> >>> ... >>> >>> Is there a way to avoid impersonation entirely oozie, and why should oozie >>> need to impersonate itself? I've seen tthis issue online also >>> http://stackoverflow.com/questions/16831586/oozie-is-not-allowed-to-impersonate-oozie, >>> and can't seem to find a workaround (have tried using wildcards as >>> well >>> as specific values). >>> >>> >>> (ive pasted my configs below, in case anything is useful) >>> >>> <configuration> >>> <property> >>> <name>oozie.service.HadoopAccessorService.hadoop.configurations</name> >>> <value>*=/etc/hadoop/conf</value> >>> </property> >>> <property> >>> <name>oozie.service.ActionService.executor.ext.classes</name> >>> <value> >>> org.apache.oozie.action.email.EmailActionExecutor, >>> org.apache.oozie.action.hadoop.HiveActionExecutor, >>> org.apache.oozie.action.hadoop.ShellActionExecutor, >>> org.apache.oozie.action.hadoop.SqoopActionExecutor, >>> org.apache.oozie.action.hadoop.DistcpActionExecutor</value> >>> </property> >>> <property> >>> <name>oozie.service.JPAService.jdbc.url</name> >>> <value>jdbc:derby:${oozie.data.dir}/${oozie.db.schema.name >>> }-db;create=true</value> >>> </property> >>> <property> >>> <name>oozie.services</name> >>> <value> >>> org.apache.oozie.service.SchedulerService, >>> org.apache.oozie.service.InstrumentationService, >>> org.apache.oozie.service.CallableQueueService, >>> org.apache.oozie.service.UUIDService, >>> org.apache.oozie.service.ELService, >>> org.apache.oozie.service.AuthorizationService, >>> org.apache.oozie.service.UserGroupInformationService, >>> org.apache.oozie.service.HadoopAccessorService, >>> org.apache.oozie.service.URIHandlerService, >>> org.apache.oozie.service.MemoryLocksService, >>> org.apache.oozie.service.DagXLogInfoService, >>> org.apache.oozie.service.SchemaService, >>> org.apache.oozie.service.LiteWorkflowAppService, >>> org.apache.oozie.service.JPAService, >>> org.apache.oozie.service.StoreService, >>> org.apache.oozie.service.CoordinatorStoreService, >>> org.apache.oozie.service.SLAStoreService, >>> org.apache.oozie.service.DBLiteWorkflowStoreService, >>> org.apache.oozie.service.CallbackService, >>> org.apache.oozie.service.ActionService, >>> org.apache.oozie.service.ActionCheckerService, >>> org.apache.oozie.service.RecoveryService, >>> org.apache.oozie.service.PurgeService, >>> org.apache.oozie.service.CoordinatorEngineService, >>> org.apache.oozie.service.BundleEngineService, >>> org.apache.oozie.service.DagEngineService, >>> org.apache.oozie.service.CoordMaterializeTriggerService, >>> org.apache.oozie.service.StatusTransitService, >>> org.apache.oozie.service.PauseTransitService, >>> org.apache.oozie.service.GroupsService, >>> org.apache.oozie.service.ProxyUserService</value> >>> </property> >>> <property> >>> <name>oozie.service.WorkflowAppService.system.libpath</name> >>> <value>/user/${user.name}/share/lib</value> >>> </property> >>> <property> >>> <name>hadoop.proxyuser.oozie.hosts</name> >>> <value>localhost</value> >>> </property> >>> <property> >>> <name>oozie.services.ext</name> >>> >>> <value>org.apache.oozie.service.PartitionDependencyManagerService,org.apache.oozie.service.HCatAccessorService</value> >>> </property> >>> <property> >>> <name>oozie.service.coord.push.check.requeue.interval</name> >>> <value>30000</value> >>> </property> >>> <property> >>> <name>oozie.service.SchemaService.wf.ext.schemas</name> >>> >>> <value>shell-action-0.1.xsd,email-action-0.1.xsd,hive-action-0.2.xsd,sqoop-action-0.2.xsd,ssh-action-0.1.xsd,distcp-action-0.1.xsd,shell-action-0.2.xsd,oozie-sla-0.1.xsd,oozie-sla-0.2.xsd</value> >>> </property> >>> <property> >>> <name>oozie.service.JPAService.pool.max.active.conn</name> >>> <value>10</value> >>> </property> >>> <property> >>> <name>oozie.service.CallableQueueService.callable.concurrency</name> >>> <value>3</value> >>> </property> >>> <property> >>> <name>oozie.service.JPAService.jdbc.username</name> >>> <value>oozie</value> >>> </property> >>> <property> >>> <name>oozie.service.AuthorizationService.security.enabled</name> >>> <value>false</value> >>> </property> >>> <property> >>> <name>oozie.service.CallableQueueService.threads</name> >>> <value>10</value> >>> </property> >>> <property> >>> <name>oozie.authentication.type</name> >>> <value>simple</value> >>> </property> >>> <property> >>> <name>use.system.libpath.for.mapreduce.and.pig.jobs</name> >>> <value>false</value> >>> </property> >>> <property> >>> <name>hadoop.proxyuser.oozie.groups</name> >>> <value>tom,oozie,root,sally</value> >>> </property> >>> <property> >>> <name>oozie.db.schema.name</name> >>> <value>oozie</value> >>> </property> >>> <property> >>> <name>oozie.authentication.kerberos.name.rules</name> >>> <value> >>> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/ >>> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/ >>> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/ >>> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/ >>> DEFAULT</value> >>> </property> >>> <property> >>> <name>oozie.service.URIHandlerService.uri.handlers</name> >>> >>> <value>org.apache.oozie.dependency.FSURIHandler,org.apache.oozie.dependency.HCatURIHandler</value> >>> </property> >>> <property> >>> <name>oozie.service.HadoopAccessorService.supported.filesystems</name> >>> <value>glusterfs</value> >>> </property> >>> <property> >>> <name>oozie.base.url</name> >>> <value>http://mrg42.lab.bos.redhat.com:11000/oozie</value> >>> </property> >>> <property> >>> <name>oozie.service.JPAService.jdbc.driver</name> >>> <value>org.apache.derby.jdbc.EmbeddedDriver</value> >>> </property> >>> <property> >>> <name>oozie.service.JPAService.create.db.schema</name> >>> <value>false</value> >>> </property> >>> <property> >>> <name>oozie.system.id</name> >>> <value>oozie-${user.name}</value> >>> </property> >>> <property> >>> <name>oozie.service.coord.normal.default.timeout</name> >>> <value>120</value> >>> </property> >>> <property> >>> <name>oozie.credentials.credentialclasses</name> >>> <value>hcat=org.apache.oozie.action.hadoop.HCatCredentials</value> >>> </property> >>> <property> >>> <name>oozie.service.CallableQueueService.queue.size</name> >>> <value>1000</value> >>> </property> >>> <property> >>> <name>oozie.service.JPAService.jdbc.password</name> >>> <value>admin</value> >>> </property> >>> <property> >>> <name>oozie.service.HadoopAccessorService.nameNode.whitelist</name> >>> <value> </value> >>> </property> >>> <property> >>> <name>oozie.service.PurgeService.older.than</name> >>> <value>30</value> >>> </property> >>> <property> >>> <name>oozie.service.HadoopAccessorService.jobTracker.whitelist</name> >>> <value> </value> >>> </property> >>> <property> >>> <name>oozie.systemmode</name> >>> <value>NORMAL</value> >>> </property> >>> <property> >>> <name>oozie.service.PurgeService.purge.interval</name> >>> <value>3600</value> >>> </property> >>> >>> >>> >>> -- >>> Jay Vyas >>> http://jayunit100.blogspot.com >> >> >> >> -- >> Harsh J -- Harsh J
