[jira] [Commented] (OOZIE-2165) Job log fetching can fail in Oozie HA mode when using doAs impersonation

Mon, 09 Mar 2015 14:38:32 -0700 

    [ 
https://issues.apache.org/jira/browse/OOZIE-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14353628#comment-14353628
 ] 

Purshotam Shah commented on OOZIE-2165:
---------------------------------------

'tomcat user' = ${user.name}
When we call other oozie server to fetch logs, the request goes as current 
oozie user, not requested user.

Ex.
http://oozie-server:4080/oozie/v2/job/jobid1-oozie_CB-W?show=log&allservers=false&doAs=sumeet&user.name=hue
will be 
http://oozie-server:4080/oozie/v2/job/jobid1-oozie_CB-W?show=log&allservers=false&doAs=sumeet&user.name=oozie

If "oozie" is not enable as proxy user, then Job log fetch from other servers 
will fail, because request will have doAs param and oozie user is not 
configured as proxy user.

This is not related to Job log fetch, others server-server ( sharelib update, 
if done as doAs) will also fail.

> Job log fetching can fail in Oozie HA mode when using doAs impersonation
> ------------------------------------------------------------------------
>
>                 Key: OOZIE-2165
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2165
>             Project: Oozie
>          Issue Type: Bug
>          Components: HA
>    Affects Versions: 4.1.0
>            Reporter: Romain Rigaux
>
> From https://issues.cloudera.org/browse/HUE-2608
> "Oozie logs in Hue does not work well when Oozie is configured in HA mode. 
> Essentially, DoAs user doesn't work for HA request. This happens because in 
> HA one server will call other server as "tomcat user".
> http://oozie-server:4080/oozie/v2/job/jobid1-oozie_CB-W?show=log&allservers=false&doAs=sumeet&user.name=hue
> will be 
> http://oozie-server:4080/oozie/v2/job/jobid1-oozie_CB-W?show=log&allservers=false&doAs=sumeet&user.name=oozie
> Potential fixes can be to add oozie as proxy user or drop doAs user from 
> server to server call. Since the request is already authenticated, it should 
> ok to call other server with oozie user. 
> http://oozie-server:4080/oozie/v2/job/jobid1-oozie_CB-W?show=log&allservers=false&user.name=oozie";



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to