Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to run Oozie workfllow or action as another user?

avatar
Expert Contributor

Hello,

Using Hue and Oozie, how can I run a specific workflow or action within a workflow as another user?

 

I have tried the following:

 

  1. Workflow Properties > Oozie parameters > user.name - this has no effect
  2. Workflow Properties > Hadoop job properties > user.name - this fails with an error
  3. Action > Job properties > user.name - this fails with an error

The error message for 2 and 3 is as follows:

 

ErrorType [FAILED], ErrorCode [JA010], Message [JA010: Property [user.name] not allowed in action [inline configuration] configuration]
org.apache.oozie.action.ActionExecutorException: JA010: Property [user.name] not allowed in action [inline configuration] configuration
	at org.apache.oozie.action.hadoop.JavaActionExecutor.checkForDisallowedProps(JavaActionExecutor.java:198)
	at org.apache.oozie.action.hadoop.JavaActionExecutor.parseJobXmlAndConfiguration(JavaActionExecutor.java:451)
	at org.apache.oozie.action.hadoop.JavaActionExecutor.setupActionConf(JavaActionExecutor.java:468)
	at org.apache.oozie.action.hadoop.ShellActionExecutor.setupActionConf(ShellActionExecutor.java:55)
	at org.apache.oozie.action.hadoop.JavaActionExecutor.submitLauncher(JavaActionExecutor.java:893)
	at org.apache.oozie.action.hadoop.JavaActionExecutor.start(JavaActionExecutor.java:1145)
	at org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:228)
	at org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63)
	at org.apache.oozie.command.XCommand.call(XCommand.java:281)
	at org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:323)
	at org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:252)
	at org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:174)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)

Any suggestions?

 

Thanks,

Martin

 

11 REPLIES 11

avatar
Explorer

Hi Martin,

 

I believe Hue runs Oozie workflows as the user you are logged into Hue as.  The easiest way to run a workflow as a different user is to log into Hue as a different user.  Per the Oozie documentation, there are actions where you are not allowed to override the user/group:

 

https://oozie.apache.org/docs/3.2.0-incubating/WorkflowFunctionalSpec.html#a6_User_Propagation

 

avatar
Expert Contributor

Thanks for the response, unfortunatelly I am none the wiser 😐

 

Specifically I would want to run a shell action as another user. What we observe is that shell actions are not run as the user who logged in to Hue, rather they run under user "yarn".

 

Is there any way to get shell actions to run as another user?

 

Thanks,

Martin

avatar
Explorer
Shell actions are not allowed to run as another user as sudo is blocked. If you want a yarn application to run as someone other than yarn (i.e. the submitter), then you'd want to run in a secured environment so that the containers are started up by the submitting user. See Shell Action Caveats here:

http://blog.cloudera.com/blog/2013/03/how-to-use-oozie-shell-and-java-actions/

Hope this helps

avatar
Rising Star

That blog post is a little outdated at this point.  It all depends on your Yarn configuration:

- DefaultContainerExecutor: 'yarn'

- LinuxContainerExectutor:

    - With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false (default), it runs as yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (default is 'nobody') 

    - With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=true, it runs as the user submitting the workflow

 

 

I'd encourage you to use any of the other actions (e.g. Java action) if possible; they will all run as the user who submitted the workflow.

Software Engineer | Cloudera, Inc. | http://cloudera.com

avatar
Expert Contributor

The workaround seems to refer to https://issues.apache.org/jira/browse/YARN-2424 - although it seems to suggest "false" instead of "true", and anyone requires Hadoop 2.6.0.

(Is there a more understandable explanation for application developers that just want to put together simple Oozie workflows?)

 

I have the same issue on CDH 5.2.0, and this workaround does not work for me.

 

Cheers,

Miles

 

avatar

I was just wondering if you were able to find solution of the above problem and want to share it.

 

Thanks,

Manu

avatar
Mentor
Manu - There are two distinct questions on this post; One is "Does Hue
allow you to run a WF as another user (than the one you are logged in as)?"
to which the answer is no (you will need to login as the user you want to
run as). The other question is why the $USER in Shell Actions on insecure
or non-DRF enabled clusters appear always as "yarn" despite your user
running the job, to which the answer is to enable the LCE in non-secure
mode (or enable security in general), because the default container
executor (DCE) runs all containers as the "yarn" user.

If your question is distinct from the above two, I'd suggest raising a new
topic.

avatar
New Contributor

Is there a way to run the shell workflow action as the current user rather than yarn?

avatar

try to set environment varialble for shell action:

 

HADOOP_USER_NAME=${wf:user()} OR UsernameYouWant

 

Manu