You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@oozie.apache.org by Ben Flint <be...@gmail.com> on 2012/08/03 01:01:10 UTC
Oozie impersonation security exception
All,
I know I'm about the zillionth person to have issues with Oozie impersonation. I have reviewed all the documentation and mailing list archives, and I think I have done everything necessary/suggested to get it to work (short of using wide-open wildmyhostcard sfor the proxyuser config values. I'm actually trying to enforce security).
I am still having issues. I'm getting the notorious exception when I try to run the example (full stack trace is at the end of this email):
Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
I have the following configuration in both my name node and job tracker core-site.xml file:
--snip--
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>users</value>
<description>
Proxy group for Hadoop.
</description>
</property>
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>hadoop-bflint-slave1.bflint.myhost.com</value>
<description>
Proxy host for Hadoop.
</description>
</property>
--snip--
I have restarted the cluster.
Here is proof that my user is in the 'users' group on the oozie client host (which is the same as the ooze server host):
--snip--
[bflint@hadoop-bflint-slave1 oozie]$ groups
users
--snip--
Can someone please help me out?
Thanks,
Ben
---snip full stack trace----
2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start] user [bflint] authenticated
2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 - PriviledgedActionException as:bflint via oozie cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint] GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException
org.apache.oozie.service.AuthorizationException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
... 22 more
Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
at org.apache.hadoop.ipc.Client.call(Client.java:1092)
at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
at $Proxy23.getProtocolVersion(Unknown Source)
at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
... 23 more
2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint] GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start] error[E0902], E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
org.apache.oozie.servlet.XServletException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199)
at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.oozie.service.AuthorizationException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
... 21 more
Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
... 22 more
Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
at org.apache.hadoop.ipc.Client.call(Client.java:1092)
at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
at $Proxy23.getProtocolVersion(Unknown Source)
at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
... 23 more
Re: Oozie impersonation security exception
Posted by Ben Flint <be...@gmail.com>.
Harsh,
Thank you. That was my problem. The user bflint was not actually a user on the NameNode. It was only a user on the ooze client, ooze server, and JobTracker hosts (which all happen to be the same machine). Once I added 'bflint' as a user with the group 'users' to the NameNode, the job worked great, even without having to resort to using a wildcard in the proxyuser config properties.
And thank you for the blog post. It was super helpful, and I'm not sure how I had missed it before.
Thanks everyone for the quick response.
-Ben
On Aug 2, 2012, at 8:43 PM, Harsh J wrote:
> By default (Unix Shell User-Group-Mapping), the groups are resolved at the
> NameNode. So unless the NameNode can detect that "bflint" belongs to
> "users", the auth won't be allowed.
>
> This is further detailed at
> http://www.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/
>
> On Fri, Aug 3, 2012 at 8:49 AM, Alejandro Abdelnur <tu...@cloudera.com>wrote:
>
>> Adding to Mohammad's question, what version of Hadoop are you using? And
>> what Unix user is running the oozie server? Also, the user bflint exists in
>> the oozie server box? and does it belong there to the group 'users'?
>>
>> Thx
>>
>> On Thu, Aug 2, 2012 at 6:28 PM, Mohammad Islam <mi...@yahoo.com> wrote:
>>
>>> Hi Ben,
>>> Sorry for the inconvenience.
>>> What version of Oozie are you using? In apache, this feature is supported
>>> from 3.2.
>>>
>>> If you try with value wild card (*), does it work? (I know you want to
>> use
>>> for security).
>>>
>>> Regards,
>>> Mohammad
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: Ben Flint <be...@gmail.com>
>>> To: oozie-users@incubator.apache.org
>>> Cc:
>>> Sent: Thursday, August 2, 2012 4:01 PM
>>> Subject: Oozie impersonation security exception
>>>
>>> All,
>>> I know I'm about the zillionth person to have issues with Oozie
>>> impersonation. I have reviewed all the documentation and mailing list
>>> archives, and I think I have done everything necessary/suggested to get
>> it
>>> to work (short of using wide-open wildmyhostcard sfor the proxyuser
>> config
>>> values. I'm actually trying to enforce security).
>>>
>>> I am still having issues. I'm getting the notorious exception when I try
>>> to run the example (full stack trace is at the end of this email):
>>>
>>> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
>>> allowed to impersonate bflint
>>>
>>> I have the following configuration in both my name node and job tracker
>>> core-site.xml file:
>>>
>>> --snip--
>>> <property>
>>> <name>hadoop.proxyuser.oozie.groups</name>
>>> <value>users</value>
>>> <description>
>>> Proxy group for Hadoop.
>>> </description>
>>> </property>
>>>
>>> <property>
>>> <name>hadoop.proxyuser.oozie.hosts</name>
>>> <value>hadoop-bflint-slave1.bflint.myhost.com</value>
>>> <description>
>>> Proxy host for Hadoop.
>>> </description>
>>> </property>
>>> --snip--
>>>
>>> I have restarted the cluster.
>>>
>>> Here is proof that my user is in the 'users' group on the oozie client
>>> host (which is the same as the ooze server host):
>>> --snip--
>>> [bflint@hadoop-bflint-slave1 oozie]$ groups
>>> users
>>> --snip--
>>>
>>> Can someone please help me out?
>>>
>>> Thanks,
>>> Ben
>>>
>>> ---snip full stack trace----
>>>
>>> 2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [
>>>
>> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start
>> ]
>>> user [bflint] authenticated
>>> 2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 -
>>> PriviledgedActionException as:bflint via oozie
>>> cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed
>> to
>>> impersonate bflint
>>> 2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint]
>>> GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException
>>> org.apache.oozie.service.AuthorizationException: E0902: Exception
>> occured:
>>> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
>>> impersonate bflint]
>>> at
>>>
>> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
>>> at
>>>
>> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
>>> at
>>> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>>> at
>>>
>> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>> at
>>> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
>>> at
>>>
>> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
>>> at
>>> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>> at
>>>
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>> at
>>>
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>> at
>>>
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>> at
>>>
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> at
>>>
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> at
>>>
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>> at
>>>
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
>>> at
>>>
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>> at java.lang.Thread.run(Thread.java:662)
>>> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902:
>>> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
>>> not allowed to impersonate bflint]
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
>>> at
>>>
>> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
>>> ... 22 more
>>> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
>>> allowed to impersonate bflint
>>> at org.apache.hadoop.ipc.Client.call(Client.java:1092)
>>> at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
>>> at $Proxy23.getProtocolVersion(Unknown Source)
>>> at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
>>> at
>>> org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
>>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
>>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
>>> at
>>>
>> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
>>> at
>>> org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
>>> at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
>>> at
>> org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
>>> at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAs(Subject.java:396)
>>> at
>>>
>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
>>> ... 23 more
>>> 2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint]
>>> GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST
>>>
>> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start
>> ]
>>> error[E0902], E0902: Exception occured:
>>> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
>>> impersonate bflint]
>>> org.apache.oozie.servlet.XServletException: E0902: Exception occured:
>>> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
>>> impersonate bflint]
>>> at
>>>
>> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199)
>>> at
>>> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>>> at
>>>
>> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>> at
>>> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
>>> at
>>>
>> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
>>> at
>>> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>> at
>>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>> at
>>>
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>> at
>>>
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>> at
>>>
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>> at
>>>
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> at
>>>
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> at
>>>
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>> at
>>>
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
>>> at
>>>
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>> at java.lang.Thread.run(Thread.java:662)
>>> Caused by: org.apache.oozie.service.AuthorizationException: E0902:
>>> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
>>> not allowed to impersonate bflint]
>>> at
>>>
>> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
>>> at
>>>
>> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
>>> ... 21 more
>>> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902:
>>> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
>>> not allowed to impersonate bflint]
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
>>> at
>>>
>> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
>>> ... 22 more
>>> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
>>> allowed to impersonate bflint
>>> at org.apache.hadoop.ipc.Client.call(Client.java:1092)
>>> at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
>>> at $Proxy23.getProtocolVersion(Unknown Source)
>>> at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
>>> at
>>> org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
>>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
>>> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
>>> at
>>>
>> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
>>> at
>>> org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
>>> at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
>>> at
>> org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
>>> at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAs(Subject.java:396)
>>> at
>>>
>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
>>> at
>>>
>> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
>>> ... 23 more
>>>
>>
>>
>>
>> --
>> Alejandro
>>
>
>
>
> --
> Harsh J
Re: Oozie impersonation security exception
Posted by Harsh J <ha...@cloudera.com>.
By default (Unix Shell User-Group-Mapping), the groups are resolved at the
NameNode. So unless the NameNode can detect that "bflint" belongs to
"users", the auth won't be allowed.
This is further detailed at
http://www.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/
On Fri, Aug 3, 2012 at 8:49 AM, Alejandro Abdelnur <tu...@cloudera.com>wrote:
> Adding to Mohammad's question, what version of Hadoop are you using? And
> what Unix user is running the oozie server? Also, the user bflint exists in
> the oozie server box? and does it belong there to the group 'users'?
>
> Thx
>
> On Thu, Aug 2, 2012 at 6:28 PM, Mohammad Islam <mi...@yahoo.com> wrote:
>
> > Hi Ben,
> > Sorry for the inconvenience.
> > What version of Oozie are you using? In apache, this feature is supported
> > from 3.2.
> >
> > If you try with value wild card (*), does it work? (I know you want to
> use
> > for security).
> >
> > Regards,
> > Mohammad
> >
> >
> >
> > ----- Original Message -----
> > From: Ben Flint <be...@gmail.com>
> > To: oozie-users@incubator.apache.org
> > Cc:
> > Sent: Thursday, August 2, 2012 4:01 PM
> > Subject: Oozie impersonation security exception
> >
> > All,
> > I know I'm about the zillionth person to have issues with Oozie
> > impersonation. I have reviewed all the documentation and mailing list
> > archives, and I think I have done everything necessary/suggested to get
> it
> > to work (short of using wide-open wildmyhostcard sfor the proxyuser
> config
> > values. I'm actually trying to enforce security).
> >
> > I am still having issues. I'm getting the notorious exception when I try
> > to run the example (full stack trace is at the end of this email):
> >
> > Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
> > allowed to impersonate bflint
> >
> > I have the following configuration in both my name node and job tracker
> > core-site.xml file:
> >
> > --snip--
> > <property>
> > <name>hadoop.proxyuser.oozie.groups</name>
> > <value>users</value>
> > <description>
> > Proxy group for Hadoop.
> > </description>
> > </property>
> >
> > <property>
> > <name>hadoop.proxyuser.oozie.hosts</name>
> > <value>hadoop-bflint-slave1.bflint.myhost.com</value>
> > <description>
> > Proxy host for Hadoop.
> > </description>
> > </property>
> > --snip--
> >
> > I have restarted the cluster.
> >
> > Here is proof that my user is in the 'users' group on the oozie client
> > host (which is the same as the ooze server host):
> > --snip--
> > [bflint@hadoop-bflint-slave1 oozie]$ groups
> > users
> > --snip--
> >
> > Can someone please help me out?
> >
> > Thanks,
> > Ben
> >
> > ---snip full stack trace----
> >
> > 2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [
> >
> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start
> ]
> > user [bflint] authenticated
> > 2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 -
> > PriviledgedActionException as:bflint via oozie
> > cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed
> to
> > impersonate bflint
> > 2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint]
> > GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException
> > org.apache.oozie.service.AuthorizationException: E0902: Exception
> occured:
> > [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> > impersonate bflint]
> > at
> >
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
> > at
> >
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
> > at
> > org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> > at
> >
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> > org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> > at
> >
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
> > at
> > org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> > at
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
> > at
> >
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> > at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> > at java.lang.Thread.run(Thread.java:662)
> > Caused by: org.apache.oozie.service.HadoopAccessorException: E0902:
> > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
> > not allowed to impersonate bflint]
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
> > at
> >
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
> > ... 22 more
> > Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
> > allowed to impersonate bflint
> > at org.apache.hadoop.ipc.Client.call(Client.java:1092)
> > at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
> > at $Proxy23.getProtocolVersion(Unknown Source)
> > at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
> > at
> > org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
> > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
> > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
> > at
> >
> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
> > at
> > org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
> > at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
> > at
> org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
> > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at javax.security.auth.Subject.doAs(Subject.java:396)
> > at
> >
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
> > ... 23 more
> > 2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint]
> > GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST
> >
> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start
> ]
> > error[E0902], E0902: Exception occured:
> > [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> > impersonate bflint]
> > org.apache.oozie.servlet.XServletException: E0902: Exception occured:
> > [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> > impersonate bflint]
> > at
> >
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199)
> > at
> > org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> > at
> >
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> > org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> > at
> >
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
> > at
> > org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> > at
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
> > at
> >
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> > at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> > at java.lang.Thread.run(Thread.java:662)
> > Caused by: org.apache.oozie.service.AuthorizationException: E0902:
> > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
> > not allowed to impersonate bflint]
> > at
> >
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
> > at
> >
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
> > ... 21 more
> > Caused by: org.apache.oozie.service.HadoopAccessorException: E0902:
> > Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
> > not allowed to impersonate bflint]
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
> > at
> >
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
> > ... 22 more
> > Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
> > allowed to impersonate bflint
> > at org.apache.hadoop.ipc.Client.call(Client.java:1092)
> > at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
> > at $Proxy23.getProtocolVersion(Unknown Source)
> > at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
> > at
> > org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
> > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
> > at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
> > at
> >
> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
> > at
> > org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
> > at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
> > at
> org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
> > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at javax.security.auth.Subject.doAs(Subject.java:396)
> > at
> >
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
> > at
> >
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
> > ... 23 more
> >
>
>
>
> --
> Alejandro
>
--
Harsh J
Re: Oozie impersonation security exception
Posted by Alejandro Abdelnur <tu...@cloudera.com>.
Adding to Mohammad's question, what version of Hadoop are you using? And
what Unix user is running the oozie server? Also, the user bflint exists in
the oozie server box? and does it belong there to the group 'users'?
Thx
On Thu, Aug 2, 2012 at 6:28 PM, Mohammad Islam <mi...@yahoo.com> wrote:
> Hi Ben,
> Sorry for the inconvenience.
> What version of Oozie are you using? In apache, this feature is supported
> from 3.2.
>
> If you try with value wild card (*), does it work? (I know you want to use
> for security).
>
> Regards,
> Mohammad
>
>
>
> ----- Original Message -----
> From: Ben Flint <be...@gmail.com>
> To: oozie-users@incubator.apache.org
> Cc:
> Sent: Thursday, August 2, 2012 4:01 PM
> Subject: Oozie impersonation security exception
>
> All,
> I know I'm about the zillionth person to have issues with Oozie
> impersonation. I have reviewed all the documentation and mailing list
> archives, and I think I have done everything necessary/suggested to get it
> to work (short of using wide-open wildmyhostcard sfor the proxyuser config
> values. I'm actually trying to enforce security).
>
> I am still having issues. I'm getting the notorious exception when I try
> to run the example (full stack trace is at the end of this email):
>
> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
> allowed to impersonate bflint
>
> I have the following configuration in both my name node and job tracker
> core-site.xml file:
>
> --snip--
> <property>
> <name>hadoop.proxyuser.oozie.groups</name>
> <value>users</value>
> <description>
> Proxy group for Hadoop.
> </description>
> </property>
>
> <property>
> <name>hadoop.proxyuser.oozie.hosts</name>
> <value>hadoop-bflint-slave1.bflint.myhost.com</value>
> <description>
> Proxy host for Hadoop.
> </description>
> </property>
> --snip--
>
> I have restarted the cluster.
>
> Here is proof that my user is in the 'users' group on the oozie client
> host (which is the same as the ooze server host):
> --snip--
> [bflint@hadoop-bflint-slave1 oozie]$ groups
> users
> --snip--
>
> Can someone please help me out?
>
> Thanks,
> Ben
>
> ---snip full stack trace----
>
> 2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [
> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start]
> user [bflint] authenticated
> 2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 -
> PriviledgedActionException as:bflint via oozie
> cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> impersonate bflint
> 2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint]
> GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException
> org.apache.oozie.service.AuthorizationException: E0902: Exception occured:
> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> impersonate bflint]
> at
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
> at
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
> at
> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> at
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
> at
> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:662)
> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902:
> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
> not allowed to impersonate bflint]
> at
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
> at
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
> ... 22 more
> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
> allowed to impersonate bflint
> at org.apache.hadoop.ipc.Client.call(Client.java:1092)
> at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
> at $Proxy23.getProtocolVersion(Unknown Source)
> at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
> at
> org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
> at
> org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
> at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
> at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
> at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
> at
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
> at
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
> at
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
> ... 23 more
> 2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint]
> GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST
> http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start]
> error[E0902], E0902: Exception occured:
> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> impersonate bflint]
> org.apache.oozie.servlet.XServletException: E0902: Exception occured:
> [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to
> impersonate bflint]
> at
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199)
> at
> org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> at
> org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
> at
> org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:662)
> Caused by: org.apache.oozie.service.AuthorizationException: E0902:
> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
> not allowed to impersonate bflint]
> at
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
> at
> org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
> ... 21 more
> Caused by: org.apache.oozie.service.HadoopAccessorException: E0902:
> Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is
> not allowed to impersonate bflint]
> at
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
> at
> org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
> ... 22 more
> Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not
> allowed to impersonate bflint
> at org.apache.hadoop.ipc.Client.call(Client.java:1092)
> at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
> at $Proxy23.getProtocolVersion(Unknown Source)
> at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
> at
> org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
> at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
> at
> org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
> at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
> at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
> at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
> at
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
> at
> org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
> at
> org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
> ... 23 more
>
--
Alejandro
Re: Oozie impersonation security exception
Posted by Mohammad Islam <mi...@yahoo.com>.
Hi Ben,
Sorry for the inconvenience.
What version of Oozie are you using? In apache, this feature is supported from 3.2.
If you try with value wild card (*), does it work? (I know you want to use for security).
Regards,
Mohammad
----- Original Message -----
From: Ben Flint <be...@gmail.com>
To: oozie-users@incubator.apache.org
Cc:
Sent: Thursday, August 2, 2012 4:01 PM
Subject: Oozie impersonation security exception
All,
I know I'm about the zillionth person to have issues with Oozie impersonation. I have reviewed all the documentation and mailing list archives, and I think I have done everything necessary/suggested to get it to work (short of using wide-open wildmyhostcard sfor the proxyuser config values. I'm actually trying to enforce security).
I am still having issues. I'm getting the notorious exception when I try to run the example (full stack trace is at the end of this email):
Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
I have the following configuration in both my name node and job tracker core-site.xml file:
--snip--
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>users</value>
<description>
Proxy group for Hadoop.
</description>
</property>
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>hadoop-bflint-slave1.bflint.myhost.com</value>
<description>
Proxy host for Hadoop.
</description>
</property>
--snip--
I have restarted the cluster.
Here is proof that my user is in the 'users' group on the oozie client host (which is the same as the ooze server host):
--snip--
[bflint@hadoop-bflint-slave1 oozie]$ groups
users
--snip--
Can someone please help me out?
Thanks,
Ben
---snip full stack trace----
2012-07-29 01:47:00,568 DEBUG AuthenticationFilter:347 - Request [http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start] user [bflint] authenticated
2012-07-29 01:47:00,580 ERROR UserGroupInformation:1125 - PriviledgedActionException as:bflint via oozie cause:org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
2012-07-29 01:47:00,581 INFO BaseJobServlet:539 - USER[bflint] GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] AuthorizationException
org.apache.oozie.service.AuthorizationException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
... 22 more
Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
at org.apache.hadoop.ipc.Client.call(Client.java:1092)
at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
at $Proxy23.getProtocolVersion(Unknown Source)
at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
... 23 more
2012-07-29 01:47:00,583 WARN V1JobsServlet:542 - USER[bflint] GROUP[users] TOKEN[-] APP[-] JOB[-] ACTION[-] URL[POST http://hadoop-bflint-slave1.bflint.myhost.com:11000/oozie/v1/jobs?action=start] error[E0902], E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
org.apache.oozie.servlet.XServletException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:199)
at org.apache.oozie.servlet.BaseJobsServlet.doPost(BaseJobsServlet.java:92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.oozie.servlet.JsonRestServlet.service(JsonRestServlet.java:284)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.oozie.servlet.AuthFilter$2.doFilter(AuthFilter.java:126)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:372)
at org.apache.oozie.servlet.AuthFilter.doFilter(AuthFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.oozie.service.AuthorizationException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:323)
at org.apache.oozie.servlet.BaseJobServlet.checkAuthorizationForApp(BaseJobServlet.java:188)
... 21 more
Caused by: org.apache.oozie.service.HadoopAccessorException: E0902: Exception occured: [org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint]
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:211)
at org.apache.oozie.service.AuthorizationService.authorizeForApp(AuthorizationService.java:288)
... 22 more
Caused by: org.apache.hadoop.ipc.RemoteException: User: oozie is not allowed to impersonate bflint
at org.apache.hadoop.ipc.Client.call(Client.java:1092)
at org.apache.hadoop.ipc.RPC$Invoker.invoke(RPC.java:229)
at $Proxy23.getProtocolVersion(Unknown Source)
at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:411)
at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:120)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:321)
at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:286)
at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:100)
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:66)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1404)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:254)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:203)
at org.apache.oozie.service.KerberosHadoopAccessorService$3.run(KerberosHadoopAccessorService.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1122)
at org.apache.oozie.service.KerberosHadoopAccessorService.createFileSystem(KerberosHadoopAccessorService.java:195)
... 23 more