Hi Ben, Sorry for the inconvenience. What version of Oozie are you using? In apache, this feature is supported from 3.2.
If you try with value wild card (*), does it work? (I know you want to use for security). Regards, Mohammad ----- Original Message ----- From: Ben Flint <[email protected]> To: [email protected] Cc: Sent: Thursday, August 2, 2012 4:01 PM Subject: Oozie impersonation security exception All, I know I'm about the zillionth person to have issues with Oozie impersonation. I have reviewed all the documentation and mailing list archives, and I think I have done everything necessary/suggested to get it to work (short of using wide-open wildmyhostcard sfor the proxyuser config values. I'm actually trying to enforce security). I am still having issues. I'm getting the notorious exception when I try to run the example (full stack trace is at the end of this email): Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint I have the following configuration in both my name node and job tracker core-site.xml file: --snip-- <property> <name>hadoop.proxyuser.oozie.groups</name> <value>users</value> <description> Proxy group for Hadoop. </description> </property> <property> <name>hadoop.proxyuser.oozie.hosts</name> <value>hadoop-bflint-slave1.bflint.myhost.com</value> <description> Proxy host for Hadoop. </description> </property> --snip-- I have restarted the cluster. Here is proof that my user is in the 'users' group on the oozie client host (which is the same as the ooze server host): --snip-- [bflint@hadoop-bflint-slave1 oozie]$ groups users --snip-- Can someone please help me out? Thanks, Ben ---snip full stack trace---- 2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start] user [bflint] authenticated 2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 - PriviledgedActionException as:bflint via oozie cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint 2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint] GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException org.apache.oozie.service.AuthorizationException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint] at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323) at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662) Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint] at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211) at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288) ... 22 more Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint at org.apache.hadoop.ipc.Client.call(Client.java:1092) at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229) at $Proxy23.getProtocolVersion(Unknown Source) at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411) at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120) at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321) at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286) at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254) at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203) at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122) at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195) ... 23 more 2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint] GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start] error[E0902], E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint] org.apache.oozie.servlet.XServletException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint] at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199) at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662) Caused by: org.apache.oozie.service.AuthorizationException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint] at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323) at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) ... 21 more Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint] at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211) at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288) ... 22 more Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint at org.apache.hadoop.ipc.Client.call(Client.java:1092) at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229) at $Proxy23.getProtocolVersion(Unknown Source) at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411) at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120) at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321) at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286) at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254) at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203) at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122) at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195) ... 23 more
