Hi Shwetha,
I am trying both possibilities but unfortunately none of those works for me
at the moment. When I remove oc.doAs(...) I am getting an error as posted
before :
141021055438985-oozie-oozi-W@pif-cleanup] Launcher exception: E0501: Could
not perform authorization operation, User: oozie is not allowed to
impersonate yarn
E0501 : E0501: Could not perform authorization operation, User: oozie is
not allowed to impersonate yarn
at org.apache.oozie.client.OozieClient.handleError(OozieClient.java:508)
at org.apache.oozie.client.OozieClient$JobSubmit.call(OozieClient.java:591)
at org.apache.oozie.client.OozieClient$JobSubmit.call(OozieClient.java:561)
at
org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:479)
at org.apache.oozie.client.OozieClient.run(OozieClient.java:655)
at
com.ncr.bigdata.mr.cleanup.PifCleanupJob.runWorkflow(PifCleanupJob.java:101)
at com.ncr.bigdata.mr.cleanup.PifCleanupJob.run(PifCleanupJob.java:62)
at com.ncr.bigdata.mr.cleanup.PifCleanupJob.main(PifCleanupJob.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.oozie.action.hadoop.LauncherMapper.map(LauncherMapper.java:226)
at org.apache.hadoop.mapred.MapRunner.run(MapRunner.java:54)
at org.apache.hadoop.mapred.MapTask.runOldMapper(MapTask.java:429)
at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:162)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:157)
Which is not clear to why oozie to yarn as I clearly see that submitted job
is under jobsubmit user. As First workflow is submited under jobsubmit
(member of users group) this run java action with oozie client code and
getting this error. Oozie server running under oozie user. Configuration
from core-site.xml
</property>
<property>
<name>hadoop.security.authentication</name>
<value>simple</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
</property>
On 21 October 2014 12:57, Shwetha GS <[email protected]> wrote:
> Do you need oc.doAs("jobsubmit", new Callable<Object>()? This code is
> trying to impersonate as another user and requires proxy configuration in
> oozie. Why don't you submit the job directly using oc.run()? If you need
> it, you need to configure oozie proxy settings(See
> http://oozie.apache.org/docs/4.0.1/DG_QuickStart.html)
>
> -Shwetha
>
> On Tue, Oct 21, 2014 at 4:19 PM, Jakub Stransky <[email protected]>
> wrote:
>
> > If I remove impersonalizaion from java action (doAs callable) I am
> getting:
> > 141021055438985-oozie-oozi-W@pif-cleanup] Launcher exception: E0501:
> Could
> > not perform authorization operation, User: oozie is not allowed to
> > impersonate yarn
> > E0501 : E0501: Could not perform authorization operation, User: oozie is
> > not allowed to impersonate yarn
> > at org.apache.oozie.client.OozieClient.handleError(OozieClient.java:508)
> > at
> org.apache.oozie.client.OozieClient$JobSubmit.call(OozieClient.java:591)
> > at
> org.apache.oozie.client.OozieClient$JobSubmit.call(OozieClient.java:561)
> > at
> >
> >
> org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:479)
> > at org.apache.oozie.client.OozieClient.run(OozieClient.java:655)
> > at
> >
> >
> com.ncr.bigdata.mr.cleanup.PifCleanupJob.runWorkflow(PifCleanupJob.java:101)
> > at com.ncr.bigdata.mr.cleanup.PifCleanupJob.run(PifCleanupJob.java:62)
> > at com.ncr.bigdata.mr.cleanup.PifCleanupJob.main(PifCleanupJob.java:45)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > at
> >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > at
> >
> org.apache.oozie.action.hadoop.LauncherMapper.map(LauncherMapper.java:226)
> > at org.apache.hadoop.mapred.MapRunner.run(MapRunner.java:54)
> > at org.apache.hadoop.mapred.MapTask.runOldMapper(MapTask.java:429)
> > at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
> > at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:162)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at javax.security.auth.Subject.doAs(Subject.java:415)
> > at
> >
> >
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
> > at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:157)
> >
> > With impersonalization to jobsubmit getting:
> >
> > SEVERE: Servlet.service() for servlet v1jobs threw exception
> > java.lang.IllegalArgumentException: proxyUser cannot be null, If you're
> > attempting to use user-impersonation via a proxy user, please make sure
> > that oozie.service.ProxyUserService.proxyuser.#USER#.hosts and
> > oozie.service.ProxyUserService.proxyuser.#USER#.groups are configured
> > correctly
> > at org.apache.oozie.util.ParamChecker.notEmpty(ParamChecker.java:84)
> > at
> >
> >
> org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:131)
> > at
> >
> org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:542)
> > at
> >
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:278)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> > at
> >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > at
> >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> > at
> >
> >
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:384)
> > at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> > at
> >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > at
> >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> org.apache.oozie.servlet.HostnameFilter.doFilter(HostnameFilter.java:84)
> > at
> >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > at
> >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> >
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> > at
> >
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> > at
> >
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > at
> >
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > at
> >
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> > at
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> > at
> >
> >
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> > at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> > at java.lang.Thread.run(Thread.java:744)
> >
> >
> > In both cases I added to oozie-site.xml following lines:
> > <property>
> > <name>oozie.service.ProxyUserService.proxyuser.oozie.hosts</name>
> > <value>*</value>
> > </property>
> >
> > <property>
> > <name>oozie.service.ProxyUserService.proxyuser.oozie.groups</name>
> > <value>*</value>
> > </property>
> >
> > Otherwise workflows, cooridinators etc. runs fine submitted under
> jobsubmit
> > to oozie and than run on cluster with no problem. So I don't know what I
> > might be missing in here. Any guess?
> >
> > Thanks
> > Jakub
> >
> >
> > On 21 October 2014 12:40, Jakub Stransky <[email protected]> wrote:
> >
> > > SEVERE: Servlet.service() for servlet v1jobs threw exception
> > > java.lang.IllegalArgumentException: proxyUser cannot be null, If you're
> > > attempting to use user-impersonation via a proxy user, please make sure
> > > that oozie.service.ProxyUserService.proxyuser.#USER#.hosts and
> > > oozie.service.ProxyUserService.proxyuser.#USER#.groups are configured
> > > correctly
> > > at org.apache.oozie.util.ParamChecker.notEmpty(ParamChecker.java:84)
> > > at
> > >
> >
> org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:131)
> > > at
> > >
> >
> org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:542)
> > > at
> > >
> >
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:278)
> > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> > > at
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > > at
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > > at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> > > at
> > >
> >
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:384)
> > > at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> > > at
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > > at
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > > at
> > org.apache.oozie.servlet.HostnameFilter.doFilter(HostnameFilter.java:84)
> > > at
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > > at
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > > at
> > >
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> > > at
> > >
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> > > at
> > >
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > > at
> > >
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > > at
> > >
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > > at
> > >
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> > > at
> > >
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> > > at
> > >
> >
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> > > at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> > > at java.lang.Thread.run(Thread.java:744)
> > >
> > > On 21 October 2014 12:17, Shwetha GS <[email protected]> wrote:
> > >
> > >> Check the exception in oozie server logs
> > >>
> > >> -Shwetha
> > >>
> > >> On Tue, Oct 21, 2014 at 2:40 PM, Jakub Stransky <
> [email protected]>
> > >> wrote:
> > >>
> > >> > Hello experienced users,
> > >> >
> > >> > I am new to oozie and trying to run a workflow submission from
> another
> > >> > workflow via java action as follows (using oozie 4.0.0.2.0.6.0-101):
> > >> > log.debug("Submit a wf for {} in a blocking mode: {}",
> input,
> > >> > blockUntillWfRun);
> > >> >
> > >> > final OozieClient oc = new
> OozieClient(this.oozieServerHTTP);
> > >> >
> > >> > final Properties conf = oc.createConfiguration();
> > >> > conf.setProperty(OozieClient.APP_PATH, this.wfPath);
> > >> > conf.setProperty(CONF_JOB_TRACKER, this.jobTracker);
> > >> >
> > >> > // wf specific properties
> > >> > conf.setProperty("pigInput", input);
> > >> > conf.setProperty("pigOutput", output);
> > >> > conf.setProperty("nameNode", this.nameNode);
> > >> > conf.setProperty("POSSchema", this.pifSchema);
> > >> > conf.setProperty("queueName", "default");
> > >> >
> > >> > oc.doAs("jobsubmit", new Callable<Object>() {
> > >> > @Override
> > >> > public Object call() throws Exception {
> > >> > try {
> > >> > final String jobId = oc.run(conf);
> > >> > log.info("Workflow {} submitted for input {}",
> > >> jobId,
> > >> > input);
> > >> >
> > >> > if (blockUntillWfRun) {
> > >> > while (oc.getJobInfo(jobId).getStatus() ==
> > >> > WorkflowJob.Status.RUNNING) {
> > >> > try {
> > >> > Thread.sleep(DEFAULT_PAUSE_s *
> 1000);
> > >> >
> > >> > final WorkflowJob.Status
> > currentStatus =
> > >> > oc.getJobInfo(jobId).getStatus();
> > >> > log.debug("Blocking for processing
> > input
> > >> > {}, current status {}", input, currentStatus);
> > >> >
> > >> > } catch (InterruptedException e) {
> > >> > // that shouldn't happen
> > >> > log.warn("wf for input {} block
> > waiting
> > >> > interupted", input, e);
> > >> > throw new
> > >> OozieClientException("Interupted
> > >> > during Wait for completion, wf state unknown", e);
> > >> > }
> > >> > }
> > >> >
> > >> > final WorkflowJob.Status finalStatus =
> > >> > oc.getJobInfo(jobId).getStatus();
> > >> >
> > >> > log.info("WF finished for Input {}, latest
> > >> status
> > >> > {}", input, finalStatus);
> > >> >
> > >> > if (finalStatus !=
> > >> WorkflowJob.Status.SUCCEEDED) {
> > >> > throw new CleanUpException(input,
> > >> finalStatus);
> > >> > }
> > >> > } else {
> > >> > log.info("WF submitted for input {}",
> input);
> > >> > }
> > >> >
> > >> >
> > >> > } catch (OozieClientException e) {
> > >> > log.error("Unable to process an input {} by
> > >> workflow
> > >> > ...", input, e);
> > >> > throw e;
> > >> > }
> > >> > return null;
> > >> > }
> > >> > });
> > >> > }
> > >> >
> > >> > Blocking in callable is non-sense i know. Configuration from
> > >> core-site.xml
> > >> > <property>
> > >> > <name>hadoop.proxyuser.oozie.groups</name>
> > >> > <value>users</value>
> > >> > </property>
> > >> >
> > >> > <property>
> > >> > <name>hadoop.proxyuser.oozie.hosts</name>
> > >> > <value>*</value>
> > >> > </property>
> > >> >
> > >> > Oozie server is running under the user oozie and all workflows are
> > >> > submitted under the user jobsubmit who is the member of users.
> > >> >
> > >> > I am getting following error:
> > >> >
> > >> > 2014-10-21 04:48:54,083 WARN JavaActionExecutor:542 -
> USER[jobsubmit]
> > >> > GROUP[-] TOKEN[] APP[pif-cleanup]
> > >> JOB[0000001-141021043647569-oozie-oozi-W]
> > >> > ACTION[0000001-141021043647569-oozie-oozi-W@pif-cleanup] Launcher
> > >> > exception: Internal Server Error
> > >> > HTTP error code: 500 : Internal Server Error
> > >> > at
> > org.apache.oozie.client.OozieClient.handleError(OozieClient.java:508)
> > >> > at
> > >>
> org.apache.oozie.client.OozieClient$JobSubmit.call(OozieClient.java:591)
> > >> > at
> > >>
> org.apache.oozie.client.OozieClient$JobSubmit.call(OozieClient.java:561)
> > >> > at
> > >> >
> > >> >
> > >>
> >
> org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:479)
> > >> > at org.apache.oozie.client.OozieClient.run(OozieClient.java:655)
> > >> > at
> > >> com.ncr.bigdata.mr.cleanup.PifCleanupJob$1.call(PifCleanupJob.java:97)
> > >> > at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
> > >> > at
> > >> >
> > >>
> >
> com.ncr.bigdata.mr.cleanup.PifCleanupJob.runWorkflow(PifCleanupJob.java:93)
> > >> > at
> com.ncr.bigdata.mr.cleanup.PifCleanupJob.run(PifCleanupJob.java:63)
> > >> > at
> > com.ncr.bigdata.mr.cleanup.PifCleanupJob.main(PifCleanupJob.java:46)
> > >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >> > at
> > >> >
> > >> >
> > >>
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > >> > at
> > >> >
> > >> >
> > >>
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > >> > at java.lang.reflect.Method.invoke(Method.java:606)
> > >> > at
> > >> >
> > >>
> >
> org.apache.oozie.action.hadoop.LauncherMapper.map(LauncherMapper.java:226)
> > >> > at org.apache.hadoop.mapred.MapRunner.run(MapRunner.java:54)
> > >> > at org.apache.hadoop.mapred.MapTask.runOldMapper(MapTask.java:429)
> > >> > at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
> > >> > at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:162)
> > >> > at java.security.AccessController.doPrivileged(Native Method)
> > >> > at javax.security.auth.Subject.doAs(Subject.java:415)
> > >> > at
> > >> >
> > >> >
> > >>
> >
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
> > >> > at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:157)
> > >> >
> > >> > Those are properties
> > >> >
> > >> > nameNode=hdfs://namenodeha:8020
> > >> > jobTracker=bd-prg-dev1-rm1:8050
> > >> > oozieServer =bd-prg-en1
> > >> > queueName=default
> > >> > oozieServerHTTP=http://${oozieServer}:11000/oozie
> > >> >
> > >> >
> > >> > I have no idea what might go wrong here so any help from more
> > >> experienced
> > >> > users appreciated.
> > >> >
> > >> > Thanks a lot
> > >> > Jakub
> > >> >
> > >>
> > >> --
> > >> _____________________________________________________________
> > >> The information contained in this communication is intended solely for
> > the
> > >> use of the individual or entity to whom it is addressed and others
> > >> authorized to receive it. It may contain confidential or legally
> > >> privileged
> > >> information. If you are not the intended recipient you are hereby
> > notified
> > >> that any disclosure, copying, distribution or taking any action in
> > >> reliance
> > >> on the contents of this information is strictly prohibited and may be
> > >> unlawful. If you have received this communication in error, please
> > notify
> > >> us immediately by responding to this email and then delete it from
> your
> > >> system. The firm is neither liable for the proper and complete
> > >> transmission
> > >> of the information contained in this communication nor for any delay
> in
> > >> its
> > >> receipt.
> > >>
> > >
> > >
> > >
> > > --
> > > Jakub Stransky
> > > cz.linkedin.com/in/jakubstransky
> > >
> > >
> >
> >
> > --
> > Jakub Stransky
> > cz.linkedin.com/in/jakubstransky
> >
>
> --
> _____________________________________________________________
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. The firm is neither liable for the proper and complete transmission
> of the information contained in this communication nor for any delay in its
> receipt.
>
--
Jakub Stransky
cz.linkedin.com/in/jakubstransky
