Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Files created after running oozie shell action are owned by yarn user

avatar
author-rank sshimpi
Super Guru

Created ‎06-03-2016 01:18 PM

Hi,

I am running simple shell action using HUE(logged in as hdfs user in hue) -

$ cat test.sh
echo "hello" > /tmp/test

The workflow is getting executed successfully. When i check the files permission and ownership -

$ ls -al /tmp/test
-rw-r--r-- 1 yarn hadoop 6 2016-05-25 14:43 /tmp/test

The above output shows the file created via shell action has ownership as yarn.

How can I make oozie shell action to get the ownership to be same as the user who is running the "shell action/workflow"(in this case "hdfs")

So i am expecting output as shown below -

-rw-r--r-- 1 hdfs hadoop 6 2016-05-25 14:43 /tmp/test
3,568 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank quadoss author-rank
Expert Contributor

Created ‎06-07-2016 04:22 PM

@Sagar Shimpi

By default the shell actions are not allowed to run as another user as sudo is blocked. If you want a yarn application to run as someone other than yarn (i.e. the submitter), then you need to enable the linux container executor so that the containers are started up by the submitting user. Also note the below setting information which also needs to be changed as well to achieve this.

With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false (default), it runs as yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (default is 'nobody')

With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=true, it runs as the user submitting the workflow.

Stating that there are issues around this also where it does not work as expected because of the issues https://issues.apache.org/jira/browse/YARN-2424

https://issues.apache.org/jira/browse/YARN-3462

The current suggestion that I can make is to add line to change the ownership of the file which was created using shell.

View solution in original post

2,559 Views
8 REPLIES 8

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎06-03-2016 01:20 PM

@Sagar Shimpi

You may need to enable proxyuser.

User ProxyUser Configuration

Oozie supports impersonation or proxyuser functionality (identical to Hadoop proxyuser capabilities and conceptually similar to Unix 'sudo').

Proxyuser enables other systems that are Oozie clients to submit jobs on behalf of other users.

Because proxyuser is a powerful capability, Oozie provides the following restriction capabilities (similar to Hadoop):

  • Proxyuser is an explicit configuration on per proxyuser user basis.
  • A proxyuser user can be restricted to impersonate other users from a set of hosts.
  • A proxyser user can be restricted to impersonate users belonging to a set of groups.

There are 2 configuration properties needed to set up a proxyuser:

  • oozie.service.ProxyUserService.proxyuser.#USER#.hosts: hosts from where the user #USER# can impersonate other users.
  • oozie.service.ProxyUserService.proxyuser.#USER#.groups: groups the users being impersonated by user #USER# must belong to.

Both properties support the '*' wildcard as value. Although this is recommended only for testing/development.

2,559 Views

avatar
author-rank sshimpi
Super Guru

Created ‎06-03-2016 02:04 PM

@Sunile Manjee

I tried to set the property in oozie-site.xml with #user# as hdfs but still didnt worked.

2,559 Views
0 Kudos

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎06-03-2016 03:14 PM

I assume restarted oozie?

2,559 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎06-06-2016 08:47 AM

Yes. I did oozie restart after doing the modifications.

2,559 Views
0 Kudos

avatar
author-rank ibhatt
Rising Star

Created ‎06-03-2016 03:58 PM

this is a known limitation in non-secure clusters, whereby the containers are running as YARN user and not running as logged user. try setting this

<env-var>HADOOP_USER_NAME=${wf:user()}</env-var>

2,559 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎06-06-2016 08:47 AM

@ibhatt

I already tried this but this didnt worked for me.

2,559 Views
0 Kudos

avatar
author-rank quadoss author-rank
Expert Contributor

Created ‎06-07-2016 04:22 PM

@Sagar Shimpi

By default the shell actions are not allowed to run as another user as sudo is blocked. If you want a yarn application to run as someone other than yarn (i.e. the submitter), then you need to enable the linux container executor so that the containers are started up by the submitting user. Also note the below setting information which also needs to be changed as well to achieve this.

With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false (default), it runs as yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (default is 'nobody')

With yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=true, it runs as the user submitting the workflow.

Stating that there are issues around this also where it does not work as expected because of the issues https://issues.apache.org/jira/browse/YARN-2424

https://issues.apache.org/jira/browse/YARN-3462

The current suggestion that I can make is to add line to change the ownership of the file which was created using shell.

2,560 Views

avatar
author-rank sshimpi
Super Guru

Created ‎06-07-2016 04:37 PM

Thanks for the info.

2,559 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements