The doc you mentioned cites Kerberos as a requirement, and I don't have Kerberos enabled on my cluster.... And am willing to forgo security for now.
‹ if you set oozie.authentication.type to SIMPLE in oozie-site.xml, it will not use any Kerberos authentication. I have a non-secure hadoop setup on my mac for quick testing as well. ‹Mona On 2/17/14, 6:10 AM, "Harsh J" <[email protected]> wrote: >Hi, > >On Mon, Feb 17, 2014 at 4:26 PM, Jay Vyas <[email protected]> wrote: >> Thanks harsh! >> >> So: >> >> is there a way i can submit jobs without using any impersonation tricks? > >I don't think the default hadoop accessor service in Oozie allows for >a non-impersonated submission, but I suppose one can be written to >deal without it (although I've not seen need for such a thing). > >> The doc you mentioned cites Kerberos as a requirement, and I don't have >>Kerberos enabled on my cluster.... And am willing to forgo security for >>now. > >The kerberos requirement is to be taken in context vs. delegation >tokens, i.e. "The superuser must have kerberos credentials to be able >to impersonate another user. It cannot use delegation tokens for this >feature." - a delegation token using program cannot further >impersonate, or to say, the impersonated user cannot further >impersonate others. > >>> On Feb 17, 2014, at 1:45 AM, Harsh J <[email protected]> wrote: >>> >>> Oozie uses Hadoop's impersonation feature documented at >>> >>>https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common >>>/Superusers.html. >>> The hadoop.proxyuser configs must reside on the >>> NameNode/JobTracker/ResourceManager core-site.xml to be allowed, and >>> its not an Oozie configuration. >>> >>> In your listing of configs, these appear to be present in >>> oozie-site.xml instead of in Hadoop's configs. >>> >>>> On Mon, Feb 17, 2014 at 10:02 AM, Jay Vyas <[email protected]> >>>>wrote: >>>> Hi oozie. >>>> >>>> I'm getting a very odd error. >>>> "User: Oozie is not allowed to impersonate tom" >>>> >>>> So to debug, I tried submitting a job as oozie and found: >>>> "User: Oozie is not allowed to impersonate oozie" >>>> >>>> ... >>>> >>>> Is there a way to avoid impersonation entirely oozie, and why should >>>>oozie >>>> need to impersonate itself? I've seen tthis issue online also >>>> >>>>http://stackoverflow.com/questions/16831586/oozie-is-not-allowed-to-imp >>>>ersonate-oozie, >>>> and can't seem to find a workaround (have tried using wildcards as >>>> well >>>> as specific values). >>>> >>>> >>>> (ive pasted my configs below, in case anything is useful) >>>> >>>> <configuration> >>>> <property> >>>> >>>><name>oozie.service.HadoopAccessorService.hadoop.configurations</name> >>>> <value>*=/etc/hadoop/conf</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.ActionService.executor.ext.classes</name> >>>> <value> >>>> org.apache.oozie.action.email.EmailActionExecutor, >>>> org.apache.oozie.action.hadoop.HiveActionExecutor, >>>> org.apache.oozie.action.hadoop.ShellActionExecutor, >>>> org.apache.oozie.action.hadoop.SqoopActionExecutor, >>>> org.apache.oozie.action.hadoop.DistcpActionExecutor</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.JPAService.jdbc.url</name> >>>> <value>jdbc:derby:${oozie.data.dir}/${oozie.db.schema.name >>>> }-db;create=true</value> >>>> </property> >>>> <property> >>>> <name>oozie.services</name> >>>> <value> >>>> org.apache.oozie.service.SchedulerService, >>>> org.apache.oozie.service.InstrumentationService, >>>> org.apache.oozie.service.CallableQueueService, >>>> org.apache.oozie.service.UUIDService, >>>> org.apache.oozie.service.ELService, >>>> org.apache.oozie.service.AuthorizationService, >>>> org.apache.oozie.service.UserGroupInformationService, >>>> org.apache.oozie.service.HadoopAccessorService, >>>> org.apache.oozie.service.URIHandlerService, >>>> org.apache.oozie.service.MemoryLocksService, >>>> org.apache.oozie.service.DagXLogInfoService, >>>> org.apache.oozie.service.SchemaService, >>>> org.apache.oozie.service.LiteWorkflowAppService, >>>> org.apache.oozie.service.JPAService, >>>> org.apache.oozie.service.StoreService, >>>> org.apache.oozie.service.CoordinatorStoreService, >>>> org.apache.oozie.service.SLAStoreService, >>>> org.apache.oozie.service.DBLiteWorkflowStoreService, >>>> org.apache.oozie.service.CallbackService, >>>> org.apache.oozie.service.ActionService, >>>> org.apache.oozie.service.ActionCheckerService, >>>> org.apache.oozie.service.RecoveryService, >>>> org.apache.oozie.service.PurgeService, >>>> org.apache.oozie.service.CoordinatorEngineService, >>>> org.apache.oozie.service.BundleEngineService, >>>> org.apache.oozie.service.DagEngineService, >>>> org.apache.oozie.service.CoordMaterializeTriggerService, >>>> org.apache.oozie.service.StatusTransitService, >>>> org.apache.oozie.service.PauseTransitService, >>>> org.apache.oozie.service.GroupsService, >>>> org.apache.oozie.service.ProxyUserService</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.WorkflowAppService.system.libpath</name> >>>> <value>/user/${user.name}/share/lib</value> >>>> </property> >>>> <property> >>>> <name>hadoop.proxyuser.oozie.hosts</name> >>>> <value>localhost</value> >>>> </property> >>>> <property> >>>> <name>oozie.services.ext</name> >>>> >>>> >>>><value>org.apache.oozie.service.PartitionDependencyManagerService,org.a >>>>pache.oozie.service.HCatAccessorService</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.coord.push.check.requeue.interval</name> >>>> <value>30000</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.SchemaService.wf.ext.schemas</name> >>>> >>>> >>>><value>shell-action-0.1.xsd,email-action-0.1.xsd,hive-action-0.2.xsd,sq >>>>oop-action-0.2.xsd,ssh-action-0.1.xsd,distcp-action-0.1.xsd,shell-actio >>>>n-0.2.xsd,oozie-sla-0.1.xsd,oozie-sla-0.2.xsd</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.JPAService.pool.max.active.conn</name> >>>> <value>10</value> >>>> </property> >>>> <property> >>>> >>>><name>oozie.service.CallableQueueService.callable.concurrency</name> >>>> <value>3</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.JPAService.jdbc.username</name> >>>> <value>oozie</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.AuthorizationService.security.enabled</name> >>>> <value>false</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.CallableQueueService.threads</name> >>>> <value>10</value> >>>> </property> >>>> <property> >>>> <name>oozie.authentication.type</name> >>>> <value>simple</value> >>>> </property> >>>> <property> >>>> <name>use.system.libpath.for.mapreduce.and.pig.jobs</name> >>>> <value>false</value> >>>> </property> >>>> <property> >>>> <name>hadoop.proxyuser.oozie.groups</name> >>>> <value>tom,oozie,root,sally</value> >>>> </property> >>>> <property> >>>> <name>oozie.db.schema.name</name> >>>> <value>oozie</value> >>>> </property> >>>> <property> >>>> <name>oozie.authentication.kerberos.name.rules</name> >>>> <value> >>>> >>>>RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/ >>>> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/ >>>> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/ >>>> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/ >>>> DEFAULT</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.URIHandlerService.uri.handlers</name> >>>> >>>> >>>><value>org.apache.oozie.dependency.FSURIHandler,org.apache.oozie.depend >>>>ency.HCatURIHandler</value> >>>> </property> >>>> <property> >>>> >>>><name>oozie.service.HadoopAccessorService.supported.filesystems</name> >>>> <value>glusterfs</value> >>>> </property> >>>> <property> >>>> <name>oozie.base.url</name> >>>> <value>http://mrg42.lab.bos.redhat.com:11000/oozie</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.JPAService.jdbc.driver</name> >>>> <value>org.apache.derby.jdbc.EmbeddedDriver</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.JPAService.create.db.schema</name> >>>> <value>false</value> >>>> </property> >>>> <property> >>>> <name>oozie.system.id</name> >>>> <value>oozie-${user.name}</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.coord.normal.default.timeout</name> >>>> <value>120</value> >>>> </property> >>>> <property> >>>> <name>oozie.credentials.credentialclasses</name> >>>> <value>hcat=org.apache.oozie.action.hadoop.HCatCredentials</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.CallableQueueService.queue.size</name> >>>> <value>1000</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.JPAService.jdbc.password</name> >>>> <value>admin</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.HadoopAccessorService.nameNode.whitelist</name> >>>> <value> </value> >>>> </property> >>>> <property> >>>> <name>oozie.service.PurgeService.older.than</name> >>>> <value>30</value> >>>> </property> >>>> <property> >>>> >>>><name>oozie.service.HadoopAccessorService.jobTracker.whitelist</name> >>>> <value> </value> >>>> </property> >>>> <property> >>>> <name>oozie.systemmode</name> >>>> <value>NORMAL</value> >>>> </property> >>>> <property> >>>> <name>oozie.service.PurgeService.purge.interval</name> >>>> <value>3600</value> >>>> </property> >>>> >>>> >>>> >>>> -- >>>> Jay Vyas >>>> http://jayunit100.blogspot.com >>> >>> >>> >>> -- >>> Harsh J > > > >-- >Harsh J
