Reply
New Contributor
Posts: 1
Registered: ‎08-21-2013

oozie issue with ssh action performing on the edge node of the cluster which is not "kerberized"

[ Edited ]

Hi,

 

I'm trying to schedule a oozie job through ssh action on the edge node. As my bash scripts for each of the phases in the process flow. Here, i'm facing lot of issues like ilts not at all allowing to start the job. I have read in different blogs stating that if we have to setup password-less ssh so that we can eliminate this type of issue, but its not safe to do because the cluster will become vulnerable!!

Moreover if this type of passworless ssh setup can be done on devclusters but when it comes to production it may give the same errors (which is kerberized) there we may not able to generate passwordless -ssh.

Is there any other method to resolve this type of issue or please suggest what can be done to trigger a job at the edge node if the files are in HDFS

 

below i have placed one of the error lod msg

 

error log......

2013-08-08 06:03:51,627 INFO org.apache.oozie.command.wf.ActionStartXCommand: USER[root] GROUP[-] TOKEN[] APP[******-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@:start:] Start action [0000044-130719141217337-oozie-oozi-W@:start:] with user-retry state : userRetryCount [0], userRetryMax [0], userRetryInterval [10]

2013-08-08 06:03:51,627 WARN org.apache.oozie.command.wf.ActionStartXCommand: USER[root] GROUP[-] TOKEN[] APP[******wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@:start:] [***0000044-130719141217337-oozie-oozi-W@:start:***]Action status=DONE

2013-08-08 06:03:51,627 WARN org.apache.oozie.command.wf.ActionStartXCommand: USER[root] GROUP[-] TOKEN[] APP[******-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@:start:] [***0000044-130719141217337-oozie-oozi-W@:start:***]Action updated in DB!

2013-08-08 06:03:51,718 INFO org.apache.oozie.command.wf.ActionStartXCommand: USER[root] GROUP[-] TOKEN[] APP[*****-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@sshtest] Start action [0000044-130719141217337-oozie-oozi-W@sshtest] with user-retry state : userRetryCount [0], userRetryMax [0], userRetryInterval [10]

2013-08-08 06:03:51,718 INFO org.apache.oozie.action.ssh.SshActionExecutor: USER[root] GROUP[-] TOKEN[] APP[*****-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@sshtest] start() begins

2013-08-08 06:03:51,721 INFO org.apache.oozie.action.ssh.SshActionExecutor: USER[root] GROUP[-] TOKEN[] AP{P******-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@sshtest] Attempting to copy ssh base scripts to remote host [root@*********]

2013-08-08 06:03:51,801 WARN org.apache.oozie.action.ssh.SshActionExecutor: USER[root] GROUP[-] TOKEN[] APP[*******-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@sshtest] Error while executing ssh EXECUTION

2013-08-08 06:03:51,801 WARN org.apache.oozie.command.wf.ActionStartXCommand: USER[root] GROUP[-] TOKEN[] APP[****-wf] JOB[0000044-130719141217337-oozie-oozi-W] ACTION[0000044-130719141217337-oozie-oozi-W@sshtest] Error starting action [sshtest]. ErrorType [NON_TRANSIENT], ErrorCode [AUTH_FAILED], Message [AUTH_FAILED: Not able to perform operation [ssh -o PasswordAuthentication=no -o KbdInteractiveDevices=no -o StrictHostKeyChecking=no -o ConnectTimeout=20 root@****  mkdir -p oozie-oozi/0000044-130719141217337-oozie-oozi-W/sshtest--ssh/ ]

 

 

thanks for suggestions..

 

Posts: 1,896
Kudos: 433
Solutions: 303
Registered: ‎07-31-2013

Re: oozie issue with ssh action performing on the edge node of the cluster which is not "kerber


@krish001 wrote:

 

I have read in different blogs stating that if we have to setup password-less ssh so that we can eliminate this type of issue, but its not safe to do because the cluster will become vulnerable!!

 

Moreover if this type of passworless ssh setup can be done on devclusters but when it comes to production it may give the same errors (which is kerberized) there we may not able to generate passwordless -ssh. 


Why would it become vulnerable? Surely we only want you to allow passphraseless SSH only for the Oozie service/host to be able to access it, and not others. The SSH action is attempted directly from the Oozie Server AFAICT, not via a launcher job task.

 

Likewise with Kerberos. If the keytab you need is kept secured with proper read permissions (400, for example), then there should be no issue in using it to do a login as the required user, as the SSH itself would be trusted.

Highlighted
Explorer
Posts: 8
Registered: ‎06-09-2015

Re: oozie issue with ssh action performing on the edge node of the cluster which is not "kerber

I have a similar question because I am getting the same error.

I have a .pem file with the key to the edge node but I am not sure how I can get the Oozie job to recognize this?

The cluster I am working from is CDH 5.4 and not kerber-ized.

I tried simply placing the pem file in the workspace for the job and also /user/oozie in hdfs but that didn’t do it.

Can I just add a line to the XML document to reference the specific pem file?

 

Announcements