https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24797#M4994 <P>Reset&nbsp;<SPAN>authorized_proxy_user_config to default (hue=*) still works.</SPAN></P> Wed, 18 Feb 2015 09:16:38 GMT MrBee 2015-02-18T09:16:38Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24792#M4991 <P>Using Cloudera Manager&nbsp;we&nbsp;want to enable Impala on YARN.</P><P>We did so by adding&nbsp;the service llama ApplicationMaster and changing the min cores/mem to 0 and enabling cgroups.</P><P>We restarted the whole cluster. (HDFS works, Hive on YARN works)</P><P>&nbsp;</P><P>Problem:</P><P>&nbsp;</P><PRE>(Shell build version: Impala Shell v2.1.0-cdh5 (e48c2b4) built on Tue Dec 16 19:00:35 PST 2014) [Not connected] &gt; connect data01; Error connecting: TTransportException, TSocket read 0 bytes Kerberos ticket found in the credentials cache, retrying the connection with a secure transport. Connected to data01:21000 Server version: impalad version 2.1.0-cdh5 RELEASE (build e48c2b48c53ea9601b8f47a39373aa83ff7ca6e2) [data01:21000] &gt; use mydb; Query: use mydb [data01:21000] &gt; select * from mytable limit 10; Query: select * from mytable limit 10 ERROR: com.cloudera.llama.util.LlamaException: AM_CANNOT_REGISTER - cannot register AM 'application_1424245272359_0001' for queue 'root.alexanderbij' : java.lang.reflect.UndeclaredThrowableException, com.cloudera.llama.util.LlamaException: AM_CANNOT_REGISTER - cannot register AM 'application_1424245272359_0001' for queue 'root.alexanderbij' : java.lang.reflect.UndeclaredThrowableException, at com.cloudera.llama.am.yarn.YarnRMConnector.register(YarnRMConnector.java:270), at com.cloudera.llama.am.cache.CacheRMConnector.register(CacheRMConnector.java:178), at com.cloudera.llama.am.impl.NormalizerRMConnector.register(NormalizerRMConnector.java:107), at com.cloudera.llama.am.impl.PhasingOutRMConnector.register(PhasingOutRMConnector.java:139), at com.cloudera.llama.am.impl.SingleQueueLlamaAM.start(SingleQueueLlamaAM.java:158), at com.cloudera.llama.am.impl.ThrottleLlamaAM.start(ThrottleLlamaAM.java:164), at com.cloudera.llama.am.impl.MultiQueueLlamaAM.getSingleQueueAMInfo(MultiQueueLlamaAM.java:169), at com.cloudera.llama.am.impl.MultiQueueLlamaAM.reserve(MultiQueueLlamaAM.java:286), at com.cloudera.llama.am.impl.GangAntiDeadlockLlamaAM.reserve(GangAntiDeadlockLlamaAM.java:205), at com.cloudera.llama.am.impl.ExpansionReservationsLlamaAM.reserve(ExpansionReservationsLlamaAM.java:131), at com.cloudera.llama.am.impl.APIContractLlamaAM.reserve(APIContractLlamaAM.java:144), at com.cloudera.llama.am.LlamaAMServiceImpl.Reserve(LlamaAMServiceImpl.java:132), at com.cloudera.llama.am.MetricLlamaAMService.Reserve(MetricLlamaAMService.java:140), at com.cloudera.llama.thrift.LlamaAMService$Processor$Reserve.getResult(LlamaAMService.java:512), at com.cloudera.llama.thrift.LlamaAMService$Processor$Reserve.getResult(LlamaAMService.java:497), at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39), at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39), at com.cloudera.llama.server.ClientPrincipalTProcessor.process(ClientPrincipalTProcessor.java:47), at com.cloudera.llama.server.AuthzTProcessor.process(AuthzTProcessor.java:89), at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:206), at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145), at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615), at java.lang.Thread.run(Thread.java:745), Caused by: java.lang.reflect.UndeclaredThrowableException, at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1655), at com.cloudera.llama.am.yarn.YarnRMConnector.register(YarnRMConnector.java:239), ... 22 more, Caused by: com.cloudera.llama.util.LlamaException: AM_TIMED_OUT_STARTING_STOPPING - AM 'application_1424245272359_0001' timed out ('30000' ms) in state 'FAILED' transitioning to '[ACCEPTED]' while 'starting', at com.cloudera.llama.am.yarn.YarnRMConnector._monitorAppState(YarnRMConnector.java:429), at com.cloudera.llama.am.yarn.YarnRMConnector._initYarnApp(YarnRMConnector.java:294), at com.cloudera.llama.am.yarn.YarnRMConnector.access$400(YarnRMConnector.java:83), at com.cloudera.llama.am.yarn.YarnRMConnector$4.run(YarnRMConnector.java:243), at com.cloudera.llama.am.yarn.YarnRMConnector$4.run(YarnRMConnector.java:240), at java.security.AccessController.doPrivileged(Native Method), at javax.security.auth.Subject.doAs(Subject.java:415), at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1642), ... 23 more [data01:21000] &gt;</PRE><P>&nbsp;Looking at log in Cloudera Manager (Diagnostics)</P><P>&nbsp;</P><PRE>PriviledgedActionException as:llama (auth:PROXY) via yarn/master01.mydomain.int@MYDOMAIN (auth:KERBEROS) cause:org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): <STRONG>User: yarn/master01.mydomain.int@MYDOMAIN is not allowed to impersonate llama</STRONG></PRE><P>In the configuration of YARN&nbsp;</P><P>Service-Wide &gt; Proxy:&nbsp;</P><P>all services including llama have a *.</P><P>&nbsp;</P><P>Looking at the YARN ResourceManager on master01 running process, inspecting the core-site.xml.</P><P>I can confirm&nbsp;that these values are applied.</P><P>&nbsp;</P><P>Do you have any clue where the problem might be?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 16 Sep 2022 09:21:52 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24792#M4991 MrBee 2022-09-16T09:21:52Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24793#M4992 You may be hitting YARN-2964 which is current limitation of getting<BR />delegation toke over llama.<BR />To prevent the error, you should implement the following configurations.<BR /><BR />Configuring YARN for Long-running Applications<BR /><A target="_blank" href="http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_yarn_long_jobs.html">http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_yarn_long_jobs.html</A><BR /><BR /><BR /> Wed, 18 Feb 2015 08:18:44 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24793#M4992 dice 2015-02-18T08:18:44Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24796#M4993 <P>Hi, thx for your quick response!</P><P>&nbsp;</P><P>This solution did indeed solve the problem.</P><P>&nbsp;</P><P>I was also tried to change the setting in&nbsp;the Clusters &gt; Impala</P><P><SPAN>authorized_proxy_user_config &nbsp;(default: &nbsp;hue=*)</SPAN></P><P><SPAN>I have&nbsp;changed this to hue=*;yarn=*.</SPAN></P><P>&nbsp;</P><P><SPAN>Let me&nbsp;reset this to default and test, without my modifications.</SPAN></P> Wed, 18 Feb 2015 09:13:07 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24796#M4993 MrBee 2015-02-18T09:13:07Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24797#M4994 <P>Reset&nbsp;<SPAN>authorized_proxy_user_config to default (hue=*) still works.</SPAN></P> Wed, 18 Feb 2015 09:16:38 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CDH-5-3-Impala-Llama-Kerberos-yarn-is-not-allowed-to/m-p/24797#M4994 MrBee 2015-02-18T09:16:38Z