Reply
Explorer
Posts: 24
Registered: ‎07-30-2014

Unable to Ssh remote machines through Oozie ssh action

When ever I submit a oozie ssh action, it is failing throwing error Authentication failure. I see that SSh action is trying to make connection to destination host as oozie user eventhough I submitted job as a different user. I have key based login setup from oozie server to destination host for the job submitting user  but not for oozie user. How I can overcome this error? Thanks for the help. 

Highlighted
Cloudera Employee
Posts: 277
Registered: ‎01-09-2014

Re: Unable to Ssh remote machines through Oozie ssh action

If you are running in a non kerberized cluster, ssh actions are executed as the oozie user, because that is the user that the oozie process is running as.  You need to add the oozie users public key to the destination users authorized_keys file to be able to run the ssh command correctly.  If you want the destination user to be a user other than oozie, you need to specify user@host in the <host> property: https://oozie.apache.org/docs/3.2.0-incubating/DG_SshActionExtension.html

Explorer
Posts: 24
Registered: ‎07-30-2014

Re: Unable to Ssh remote machines through Oozie ssh action

Thanks for the help. Is there a way that I can avoid this in Non kerberos cluster and make a ssh connection as the user who submitted the job?

Posts: 1,903
Kudos: 435
Solutions: 307
Registered: ‎07-31-2013

Re: Unable to Ssh remote machines through Oozie ssh action

Oozie server will run the SSH, so it will always be using oozie user to run the ssh as. But the targeted user at the remote will still be as per your config of user@remote.

This should not be causing any problems, as it is also the natural behaviour of SSH on your own machines outside of Oozie. You just need to allow 'oozie' user on Oozie server host to SSH as 'user' on 'remote', without a passphrase.
New Contributor
Posts: 1
Registered: ‎03-05-2017

Re: Unable to Ssh remote machines through Oozie ssh action

I am facing a similar issue.

 

 

<workflow-app xmlns="uri:oozie:workflow:0.2" name="ssh-wf">
    <start to="ssh"/>

    <action name="ssh">
        <ssh xmlns="uri:oozie:ssh-action:0.1">
            <host>localhost</host>
            <command>date</command>
        </ssh>
        <ok to="end"/>
        <error to="fail"/>
    </action>

    <kill name="fail">
        <message>SSH action failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message>
    </kill>

    <end name="end"/>
</workflow-app>

 and received following error: 

AUTH_FAILED: Not able to perform operation [ssh -o PasswordAuthentication=no -o KbdInteractiveDevices=no -o StrictHostKeyChecking=no -o ConnectTimeout=20 cloudera@localhost  mkdir -p oozie-oozi/0000011-170304124323783-oozie-oozi-W/ssh--ssh/ ] | ErrorStream: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

 

Later, when I tried replacing host in workflow.xml as:

 <host>cloudera@localhost</host>

still getting similar error on ssh.

 

I have enabled passwordless loging for cloudera user.

 

Moreover, I can not generate public key for oozie since it ha no home directory as well as login.

 

Please suggest.

New Contributor
Posts: 1
Registered: ‎08-25-2017

Re: Unable to Ssh remote machines through Oozie ssh action

My problem was that I didn't know how to "add the oozie users public key to the destination users", as I didn't know the oozie user password.

Finally I solved the problem in my Centos 7.3 oozie server allowing the root user to switch to oozie without password, as explained in

https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password

  1. As root, edit /etc/pam.d/su, adding the lines

    auth       [success=ignore default=1] pam_succeed_if.so user = oozie

    auth       sufficient   pam_succeed_if.so use_uid user = oozie

  2. Open a new session as oozie

    sudo -u oozie –s

  3. Follow the general steps to generate ssh keys and copy them to the destination user and server
    ssh-keygen
    ssh-copy-id user@server
    ssh user@server ls (just first run to verify it)