2

I am kinda new with oozie. I installed (with the cdh repo )oozie on my server (I followed the CDH4 documentation [my hadoop is running in cdh4]).

I have update my core-site.xml with the following information:

<!-- OOZIE -->
<property>
  <name>hadoop.proxyuser.oozie.hosts</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.oozie.groups</name>
  <value>*</value>
</property>
<!-- -->

But when I start a job:

sudo -u oozie oozie job -oozie http://localhost:11000/oozie -config examples/apps/sqoopList/job.properties -run

I get:

job: 0000004-130530171203897-oozie-oozi-W

But when I look in the oozie webconsole, I can see my job but my job has the status "START_RETRY" with the following error

JA009: User: oozie is not allowed to impersonate oozie

and I dont have any logs..... I really dont know what is wrong..

I cant understand why I cannot start a job? Can you help me with this?

AnthonyC
  • 277
  • 7
  • 16
  • Did you restart the hadoop core services for the change in core-site.xml to take place? Also, see here: http://stackoverflow.com/questions/16582126/getting-e0902-exception-occured-user-oozie-is-not-allowed-to-impersonate-ooz – SNeumann May 30 '13 at 10:22
  • Hey Anthony I am getting the same problem. Did you ever find a solution? – Matthew Moisen Jan 10 '14 at 21:37
  • same problem here, would love feedback on this. – jayunit100 Feb 16 '14 at 16:56

3 Answers3

1

You can try following:

  1. If Oozie server and Hadoop daemons are on different machines and if you are using oozie user for running commands: You must create oozie user and oozie group on hadoop machine. If you have a Hadoop cluster with NameNode running on a seperate machine, create these in NameNode machine. Adding oozie group can be redundant if * wildcard is used (I did not test against this); but you should assign a group to oozie user. This way HDFS can collect user's group information.

This is my configuration:

<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>oozie</value>
</property>

2. After adding oozie user and group, restart the hadoop daemons. When hadoop is back again, it will have group mappings of oozie user.

The logic behind these actions is stated in HDFS permissions guide:

Once a username has been determined as described above, the list of groups is determined by a group mapping service, configured by the hadoop.security.group.mapping property. The default implementation, org.apache.hadoop.security.ShellBasedUnixGroupsMapping, will shell out to the Unix bash -c groups command to resolve a list of groups for a user.

For HDFS, the mapping of users to groups is performed on the NameNode. Thus, the host system configuration of the NameNode determines the group mappings for the users.

Following 2 links can give a summary on HDFS permissions. https://hadoop.apache.org/docs/r2.2.0/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html http://blog.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/

isaolmez
  • 1,015
  • 11
  • 14
0

I had come across the same problem while using Apache Oozie.

Add the following in oozie-site.xml

<property>
 <name>oozie.services.ext</name>
 <value>org.apache.oozie.service.HadoopAccessorService</value >
 <description>
  To add/replace services defined in 'oozie.services' with custom implementations.Class names must be separated   by commas.
 </description>
</property>

Then restart oozie. This should work with Cloudera distribution also.Just give it a try and do let me know.

-1

set below properties in HDFS config using ambari or CLI
Key=hadoop.proxyuser.hostname.hosts
value= *

key=hadoop.proxyuser.hostname.groups
value=*

If you are getting "user hue not defined as proxyuser" in Hue then follow below steps:

Step 1: In Ambari UI click on oozie
Step 2: Click on "configs" to enter config parameters
Step 3: Go to Custom oozie-site and add below 2 properties

key=oozie.service.ProxyUserService.proxyuser.hue.groups value= *

key=oozie.service.ProxyUserService.proxyuser.hue.hosts value=*

The Learner
  • 1
  • 4