Reply
Contributor
Posts: 25
Registered: ‎10-11-2013

Oozie is using oozie user from hue to login in hbase.

[ Edited ]

Hi everyone,

 

Here is my problem:

 

Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException): org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=oozie/XXXXXXX, scope=default, params=[namespace=default,table=default:XX_XX.,family=v],action=CREATE)

 

And here is my workflow.xml:

 

<workflow-app name="HBASE_TEST" xmlns="uri:oozie:workflow:0.5">
<global>
<job-xml>${hbase_site}</job-xml>
</global>
<credentials>
<credential name="hbase" type="hbase">
</credential>
</credentials>
<start to="java-2e83"/>
<kill name="Kill">
<message>Action failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message>
</kill>
<action name="java-2e83" cred="hbase">
<java>
<job-tracker>${jobTracker}</job-tracker>
<name-node>${nameNode}</name-node>
<main-class>test.beginTest</main-class>
<arg>${hdfs_home}</arg>
<arg>${zookeeper}</arg>
<file>${hbase_site}#${hbase_site}</file>
</java>
<ok to="End"/>
<error to="Kill"/>
</action>
<end name="End"/>
</workflow-app>
 

Curent user in hue is not oozie. And this user can explore Hbase using hbase app. Also it can select any information from Hbase using hive. (current user has all privileges in Hbase). 

 

So, how can I make oozie to use current user to access HBase from java application?

 

P.S. Hue - 3.7.0, HBase - 1.0.0 and CDH is 5.4.7.

 

Regards,

Andrey

 

Explorer
Posts: 10
Registered: ‎10-21-2015

Re: Oozie is using oozie user from hue to login in hbase.

Hi Andrey,

  Did you add hbase-site.xml in the job path ? I just tried on a 5.4 nightly cluster and it worked fine.

Contributor
Posts: 25
Registered: ‎10-11-2013

Re: Oozie is using oozie user from hue to login in hbase.

Hi Sai-krish,

 

Of course.

 

<global>
<job-xml>${hbase_site}</job-xml>
</global>

 

Are your hbase using ACL?

 

Regards,

Andrey

 

 

Explorer
Posts: 10
Registered: ‎10-21-2015

Re: Oozie is using oozie user from hue to login in hbase.

I'm not familiar with HBASE but I don't see 

<property>
        <name>hbase.coprocessor.master.classes</name>
        <value>org.apache.hadoop.hbase.security.access.AccessController</value>
      </property>

 in hbase-site.xml

Cloudera Employee
Posts: 85
Registered: ‎07-31-2013

Re: Oozie is using oozie user from hue to login in hbase.

I don't believe that Oozie does impersonation for hbase credentials at this time. I will get the community manager to move this thread to the Oozie category as they might be able to confirm.
Posts: 1,567
Kudos: 289
Solutions: 240
Registered: ‎07-31-2013

Re: Oozie is using oozie user from hue to login in hbase.

Oozie does fetch tokens on the user's behalf (when asked for credentials): https://github.com/cloudera/oozie/blob/cdh5.4.8-release/core/src/main/java/org/apache/oozie/action/h...

Are you getting the error in the Oozie server (when it attempts to obtain the token) or in your Java action log (when your code tries to use the token)?

Could you also share your Java action code snippet that loads the config and uses it for the API work?
Backline Customer Operations Engineer
Highlighted
Posts: 1,567
Kudos: 289
Solutions: 240
Registered: ‎07-31-2013

Re: Oozie is using oozie user from hue to login in hbase.

I was able to reproduce this, and have logged a bug upstream:
https://issues.apache.org/jira/browse/OOZIE-2419
Backline Customer Operations Engineer
Announcements