By default (Unix Shell User-Group-Mapping), the groups are resolved at the NameNode. So unless the NameNode can detect that "bflint" belongs to "users", the auth won't be allowed.
This is further detailed at http://www.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/ On Fri, Aug 3, 2012 at 8:49 AM, Alejandro Abdelnur <[email protected]>wrote: > Adding to Mohammad's question, what version of Hadoop are you using? And > what Unix user is running the oozie server? Also, the user bflint exists in > the oozie server box? and does it belong there to the group 'users'? > > Thx > > On Thu, Aug 2, 2012 at 6:28 PM, Mohammad Islam <[email protected]> wrote: > > > Hi Ben, > > Sorry for the inconvenience. > > What version of Oozie are you using? In apache, this feature is supported > > from 3.2. > > > > If you try with value wild card (*), does it work? (I know you want to > use > > for security). > > > > Regards, > > Mohammad > > > > > > > > ----- Original Message ----- > > From: Ben Flint <[email protected]> > > To: [email protected] > > Cc: > > Sent: Thursday, August 2, 2012 4:01 PM > > Subject: Oozie impersonation security exception > > > > All, > > I know I'm about the zillionth person to have issues with Oozie > > impersonation. I have reviewed all the documentation and mailing list > > archives, and I think I have done everything necessary/suggested to get > it > > to work (short of using wide-open wildmyhostcard sfor the proxyuser > config > > values. I'm actually trying to enforce security). > > > > I am still having issues. I'm getting the notorious exception when I try > > to run the example (full stack trace is at the end of this email): > > > > Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not > > allowed to impersonate bflint > > > > I have the following configuration in both my name node and job tracker > > core-site.xml file: > > > > --snip-- > > <property> > > <name>hadoop.proxyuser.oozie.groups</name> > > <value>users</value> > > <description> > > Proxy group for Hadoop. > > </description> > > </property> > > > > <property> > > <name>hadoop.proxyuser.oozie.hosts</name> > > <value>hadoop-bflint-slave1.bflint.myhost.com</value> > > <description> > > Proxy host for Hadoop. > > </description> > > </property> > > --snip-- > > > > I have restarted the cluster. > > > > Here is proof that my user is in the 'users' group on the oozie client > > host (which is the same as the ooze server host): > > --snip-- > > [bflint@hadoop-bflint-slave1 oozie]$ groups > > users > > --snip-- > > > > Can someone please help me out? > > > > Thanks, > > Ben > > > > ---snip full stack trace---- > > > > 2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [ > > > http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start > ] > > user [bflint] authenticated > > 2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 - > > PriviledgedActionException as:bflint via oozie > > cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed > to > > impersonate bflint > > 2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint] > > GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException > > org.apache.oozie.service.AuthorizationException: E0902: Exception > occured: > > [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to > > impersonate bflint] > > at > > > org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323) > > at > > > org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) > > at > > org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) > > at > > > org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > > org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) > > at > > > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) > > at > > org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > > at > > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) > > at > > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > > at > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > > at java.lang.Thread.run(Thread.java:662) > > Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: > > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is > > not allowed to impersonate bflint] > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211) > > at > > > org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288) > > ... 22 more > > Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not > > allowed to impersonate bflint > > at org.apache.hadoop.ipc.Client.call(Client.java:1092) > > at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229) > > at $Proxy23.getProtocolVersion(Unknown Source) > > at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411) > > at > > org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120) > > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321) > > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286) > > at > > > org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100) > > at > > org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) > > at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66) > > at > org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404) > > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254) > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203) > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAs(Subject.java:396) > > at > > > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122) > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195) > > ... 23 more > > 2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint] > > GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST > > > http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start > ] > > error[E0902], E0902: Exception occured: > > [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to > > impersonate bflint] > > org.apache.oozie.servlet.XServletException: E0902: Exception occured: > > [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to > > impersonate bflint] > > at > > > org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199) > > at > > org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) > > at > > > org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > > org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) > > at > > > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) > > at > > org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > > at > > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) > > at > > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > > at > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > > at java.lang.Thread.run(Thread.java:662) > > Caused by: org.apache.oozie.service.AuthorizationException: E0902: > > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is > > not allowed to impersonate bflint] > > at > > > org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323) > > at > > > org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) > > ... 21 more > > Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: > > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is > > not allowed to impersonate bflint] > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211) > > at > > > org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288) > > ... 22 more > > Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not > > allowed to impersonate bflint > > at org.apache.hadoop.ipc.Client.call(Client.java:1092) > > at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229) > > at $Proxy23.getProtocolVersion(Unknown Source) > > at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411) > > at > > org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120) > > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321) > > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286) > > at > > > org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100) > > at > > org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) > > at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66) > > at > org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404) > > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254) > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203) > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAs(Subject.java:396) > > at > > > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122) > > at > > > org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195) > > ... 23 more > > > > > > -- > Alejandro > -- Harsh J
