I'm trying to monitor the job status of a running Oozie job. However, running the following code from a general purpose user ("hue", which is also starting these jobs through runAs):
curl --negotiate -u : http://FQDN:8088/proxy/application_1609929757167_0004/ws/v1/mapreduce/jobs/job_1609929757167_0004/tasks
I'm getting an error, which does not really say anything useful:
On the other hand, I'm able to see the correct response through a yarn user, suggesting some issues with the ACL's.
My question: what ACL's and where should I give to the general purpose user so that it could see all the information of the running task? I've added the user to ``yarn.admin.acl``, as well as mapreduce.job.acl-modify-job, mapreduce.job.acl-view-job, mapreduce.jobhistory.admin.acl, but none of these help.
What am I missing?
It's been a long time since you posted, wondering if still facing this problem? Or perhaps you already found the solution to share with us? 🙂
It doesn't look like ACL related; you can submit jobs or administer the queues with ACL.
Is the cluster kerberzied by any chance?
Thanks for the response. The cluster is Kerberized.
I think we got around these errors (partly) by trial and error, so it's hard to pinpoint the exact configuration causing the issues. These probably involved permissions in Ranger, but can't tell exactly since there's no config versioning there.
I say _partly_ since we still haven't figured out Oozie Bundles (jobs through bundles still don't show logs properly on HUE), but workflows and coordinators seem to be working as expected.