0

Configured oozie to work with hadoop-2.6.0 and enabled kerberos security.

I didn't get ticket using kinit command but when i submit job using below command,

oozie job -oozie http://hostname:11000/oozie -config job.properties -run

it throws the following exception,

Error: E0501 : E0501: Could not perform authorization operation, User: oozie/hostname@EXAMPLE.COM is not allowed to impersonate Kumar

I know how to solve the above error but my question is

Kumar is my local account username. As i configured kerberos, it should check my user ticket. But it didn't show me any error like "No credential found"

If i get ticket using kinit for any other user then also oozie shows the same exception with my local user account name.

Is there anything to configure? I don't understand the concept. I am following this to configure oozie with kerberos on secured cluster.

Kumar
  • 3,782
  • 4
  • 39
  • 87
  • It might be the basic core-site.xml oozie configuration issue refer http://stackoverflow.com/questions/16582126/getting-e0902-exception-occured-user-oozie-is-not-allowed-to-impersonate-ooz – K S Nidhin Jun 26 '15 at 18:50
  • @KSNidhin Please read my question. I am asking question about kerberos not about impersonate issue, Thanks. – Kumar Jun 27 '15 at 02:01

1 Answers1

1

I just found the answer in Oozie Authentication

Once authentication is performed successfully the received authentication token is cached in the user home directory in the .oozie-auth-token file with owner-only permissions. Subsequent requests reuse the cached token while valid.

This is the reason for using invalid user even getting the ticket for any other user using kinit command.

I just resolved as below

The use of the cache file can be disabled by invoking the oozie CLI with the -Doozie.auth.token.cache false= option.

Try this.

Suresh Ram
  • 1,034
  • 3
  • 16
  • 40