https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119231#M82009 <P>Hi,</P><P>I am running simple shell action using HUE(logged in as hdfs user in hue) -</P><PRE>$ cat test.sh echo "hello" &gt; /tmp/test </PRE><P>The workflow is getting executed successfully. When i check the files permission and ownership -</P><PRE>$ ls -al /tmp/test -rw-r--r-- 1 yarn hadoop 6 2016-05-25 14:43 /tmp/test </PRE><P>The above output shows the file created via shell action has ownership as yarn.</P><P>How can I make oozie shell action to get the ownership to be same as the user who is running the "shell action/workflow"(in this case "hdfs")</P><P>So i am expecting output as shown below -</P><PRE>-rw-r--r-- 1 hdfs hadoop 6 2016-05-25 14:43 /tmp/test</PRE> Fri, 03 Jun 2016 20:18:11 GMT sshimpi 2016-06-03T20:18:11Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119231#M82009 <P>Hi,</P><P>I am running simple shell action using HUE(logged in as hdfs user in hue) -</P><PRE>$ cat test.sh echo "hello" &gt; /tmp/test </PRE><P>The workflow is getting executed successfully. When i check the files permission and ownership -</P><PRE>$ ls -al /tmp/test -rw-r--r-- 1 yarn hadoop 6 2016-05-25 14:43 /tmp/test </PRE><P>The above output shows the file created via shell action has ownership as yarn.</P><P>How can I make oozie shell action to get the ownership to be same as the user who is running the "shell action/workflow"(in this case "hdfs")</P><P>So i am expecting output as shown below -</P><PRE>-rw-r--r-- 1 hdfs hadoop 6 2016-05-25 14:43 /tmp/test</PRE> Fri, 03 Jun 2016 20:18:11 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119231#M82009 sshimpi 2016-06-03T20:18:11Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119232#M82010 <H4> <A rel="user" href="https://community.cloudera.com/users/2648/sshimpi.html" nodeid="2648">@Sagar Shimpi</A></H4><P>You may need to enable proxyuser. </P><H4>User ProxyUser Configuration</H4><P>Oozie supports impersonation or proxyuser functionality (identical to Hadoop proxyuser capabilities and conceptually similar to Unix 'sudo').</P><P>Proxyuser enables other systems that are Oozie clients to submit jobs on behalf of other users.</P><P>Because proxyuser is a powerful capability, Oozie provides the following restriction capabilities (similar to Hadoop):</P><UL> <LI>Proxyuser is an explicit configuration on per proxyuser user basis.</LI><LI>A proxyuser user can be restricted to impersonate other users from a set of hosts.</LI><LI>A proxyser user can be restricted to impersonate users belonging to a set of groups.</LI></UL><P>There are 2 configuration properties needed to set up a proxyuser:</P><UL> <LI>oozie.service.ProxyUserService.proxyuser.#USER#.hosts: hosts from where the user #USER# can impersonate other users.</LI><LI>oozie.service.ProxyUserService.proxyuser.#USER#.groups: groups the users being impersonated by user #USER# must belong to.</LI></UL><P>Both properties support the '*' wildcard as value. Although this is recommended only for testing/development.</P> Fri, 03 Jun 2016 20:20:41 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119232#M82010 sunile_manjee 2016-06-03T20:20:41Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119233#M82011 <P><A rel="user" href="https://community.cloudera.com/users/1486/smanjee.html" nodeid="1486">@Sunile Manjee</A> </P><P>I tried to set the property in oozie-site.xml with #user# as hdfs but still didnt worked.</P> Fri, 03 Jun 2016 21:04:52 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119233#M82011 sshimpi 2016-06-03T21:04:52Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119234#M82012 <P>I assume restarted oozie?</P> Fri, 03 Jun 2016 22:14:22 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119234#M82012 sunile_manjee 2016-06-03T22:14:22Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119235#M82013 <P>this is a known limitation in non-secure clusters, whereby the containers are running as YARN user and not running as logged user. try setting this</P><P>&lt;env-var&gt;HADOOP_USER_NAME=${wf:user()}&lt;/env-var&gt;</P> Fri, 03 Jun 2016 22:58:23 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119235#M82013 ibhatt 2016-06-03T22:58:23Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119236#M82014 <P>Yes. I did oozie restart after doing the modifications.</P> Mon, 06 Jun 2016 15:47:02 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119236#M82014 sshimpi 2016-06-06T15:47:02Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119237#M82015 <P><A rel="user" href="https://community.cloudera.com/users/3601/ibhatt.html" nodeid="3601">@ibhatt</A> </P><P>I already tried this but this didnt worked for me.</P> Mon, 06 Jun 2016 15:47:59 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119237#M82015 sshimpi 2016-06-06T15:47:59Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119238#M82016 <A rel="user" href="https://community.cloudera.com/users/2648/sshimpi.html" nodeid="2648">@Sagar Shimpi</A><P>By default the shell actions are not allowed to run as another user as sudo is blocked. If you want a yarn application to run as someone other than yarn (i.e. the submitter), then you need to enable the linux container executor so that the containers are started up by the submitting user. Also note the below setting information which also needs to be changed as well to achieve this. </P><P>With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false (default), it runs as yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (default is 'nobody') </P><P>With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=true, it runs as the user submitting the workflow.</P><P> Stating that there are issues around this also where it does not work as expected because of the issues <A href="https://issues.apache.org/jira/browse/YARN-2424" target="_blank">https://issues.apache.org/jira/browse/YARN-2424</A> </P><P><A href="https://issues.apache.org/jira/browse/YARN-3462" target="_blank">https://issues.apache.org/jira/browse/YARN-3462</A></P><P> The current suggestion that I can make is to add line to change the ownership of the file which was created using shell.</P> Tue, 07 Jun 2016 23:22:17 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119238#M82016 quadoss 2016-06-07T23:22:17Z https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119239#M82017 <P>Thanks for the info.</P> Tue, 07 Jun 2016 23:37:09 GMT https://community.cloudera.com/t5/Support-Questions/Files-created-after-running-oozie-shell-action-are-owned-by/m-p/119239#M82017 sshimpi 2016-06-07T23:37:09Z