Harsh, Thank you. That was my problem. The user bflint was not actually a user on the NameNode. It was only a user on the ooze client, ooze server, and JobTracker hosts (which all happen to be the same machine). Once I added 'bflint' as a user with the group 'users' to the NameNode, the job worked great, even without having to resort to using a wildcard in the proxyuser config properties.
And thank you for the blog post. It was super helpful, and I'm not sure how I had missed it before. Thanks everyone for the quick response. -Ben On Aug 2, 2012, at 8:43 PM, Harsh J wrote: > By default (Unix Shell User-Group-Mapping), the groups are resolved at the > NameNode. So unless the NameNode can detect that "bflint" belongs to > "users", the auth won't be allowed. > > This is further detailed at > http://www.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/ > > On Fri, Aug 3, 2012 at 8:49 AM, Alejandro Abdelnur <[email protected]>wrote: > >> Adding to Mohammad's question, what version of Hadoop are you using? And >> what Unix user is running the oozie server? Also, the user bflint exists in >> the oozie server box? and does it belong there to the group 'users'? >> >> Thx >> >> On Thu, Aug 2, 2012 at 6:28 PM, Mohammad Islam <[email protected]> wrote: >> >>> Hi Ben, >>> Sorry for the inconvenience. >>> What version of Oozie are you using? In apache, this feature is supported >>> from 3.2. >>> >>> If you try with value wild card (*), does it work? (I know you want to >> use >>> for security). >>> >>> Regards, >>> Mohammad >>> >>> >>> >>> ----- Original Message ----- >>> From: Ben Flint <[email protected]> >>> To: [email protected] >>> Cc: >>> Sent: Thursday, August 2, 2012 4:01 PM >>> Subject: Oozie impersonation security exception >>> >>> All, >>> I know I'm about the zillionth person to have issues with Oozie >>> impersonation. I have reviewed all the documentation and mailing list >>> archives, and I think I have done everything necessary/suggested to get >> it >>> to work (short of using wide-open wildmyhostcard sfor the proxyuser >> config >>> values. I'm actually trying to enforce security). >>> >>> I am still having issues. I'm getting the notorious exception when I try >>> to run the example (full stack trace is at the end of this email): >>> >>> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not >>> allowed to impersonate bflint >>> >>> I have the following configuration in both my name node and job tracker >>> core-site.xml file: >>> >>> --snip-- >>> <property> >>> <name>hadoop.proxyuser.oozie.groups</name> >>> <value>users</value> >>> <description> >>> Proxy group for Hadoop. >>> </description> >>> </property> >>> >>> <property> >>> <name>hadoop.proxyuser.oozie.hosts</name> >>> <value>hadoop-bflint-slave1.bflint.myhost.com</value> >>> <description> >>> Proxy host for Hadoop. >>> </description> >>> </property> >>> --snip-- >>> >>> I have restarted the cluster. >>> >>> Here is proof that my user is in the 'users' group on the oozie client >>> host (which is the same as the ooze server host): >>> --snip-- >>> [bflint@hadoop-bflint-slave1 oozie]$ groups >>> users >>> --snip-- >>> >>> Can someone please help me out? >>> >>> Thanks, >>> Ben >>> >>> ---snip full stack trace---- >>> >>> 2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [ >>> >> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start >> ] >>> user [bflint] authenticated >>> 2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 - >>> PriviledgedActionException as:bflint via oozie >>> cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed >> to >>> impersonate bflint >>> 2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint] >>> GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException >>> org.apache.oozie.service.AuthorizationException: E0902: Exception >> occured: >>> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to >>> impersonate bflint] >>> at >>> >> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323) >>> at >>> >> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) >>> at >>> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) >>> at >>> >> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>> at >>> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) >>> at >>> >> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) >>> at >>> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>> at >>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>> at >>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >>> at >>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >>> at >>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>> at >>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>> at >>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >>> at >>> >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) >>> at >>> >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >>> at java.lang.Thread.run(Thread.java:662) >>> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: >>> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is >>> not allowed to impersonate bflint] >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211) >>> at >>> >> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288) >>> ... 22 more >>> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not >>> allowed to impersonate bflint >>> at org.apache.hadoop.ipc.Client.call(Client.java:1092) >>> at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229) >>> at $Proxy23.getProtocolVersion(Unknown Source) >>> at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411) >>> at >>> org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120) >>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321) >>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286) >>> at >>> >> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100) >>> at >>> org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) >>> at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66) >>> at >> org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404) >>> at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254) >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203) >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAs(Subject.java:396) >>> at >>> >> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122) >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195) >>> ... 23 more >>> 2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint] >>> GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST >>> >> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start >> ] >>> error[E0902], E0902: Exception occured: >>> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to >>> impersonate bflint] >>> org.apache.oozie.servlet.XServletException: E0902: Exception occured: >>> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to >>> impersonate bflint] >>> at >>> >> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199) >>> at >>> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) >>> at >>> >> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>> at >>> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126) >>> at >>> >> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372) >>> at >>> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>> at >>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>> at >>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>> at >>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >>> at >>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >>> at >>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>> at >>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>> at >>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >>> at >>> >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) >>> at >>> >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >>> at java.lang.Thread.run(Thread.java:662) >>> Caused by: org.apache.oozie.service.AuthorizationException: E0902: >>> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is >>> not allowed to impersonate bflint] >>> at >>> >> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323) >>> at >>> >> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188) >>> ... 21 more >>> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: >>> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is >>> not allowed to impersonate bflint] >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211) >>> at >>> >> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288) >>> ... 22 more >>> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not >>> allowed to impersonate bflint >>> at org.apache.hadoop.ipc.Client.call(Client.java:1092) >>> at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229) >>> at $Proxy23.getProtocolVersion(Unknown Source) >>> at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411) >>> at >>> org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120) >>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321) >>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286) >>> at >>> >> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100) >>> at >>> org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) >>> at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66) >>> at >> org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404) >>> at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254) >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203) >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAs(Subject.java:396) >>> at >>> >> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122) >>> at >>> >> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195) >>> ... 23 more >>> >> >> >> >> -- >> Alejandro >> > > > > -- > Harsh J
