Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Please see the Cloudera blog for information on the Cloudera Response to CVE-2021-4428

How to authorized another user to run a workflow in Oozie

Contributor

Hi

I am having problem understand what to change to make another user run a workflow.

User A submit a workflow in Oozie. A is able to run and it work fine.

Now user B want to run the same workflow. But is not authorized.

oozie-error-message: E0508: User [XXXX] not authorized for WF job [0000012-161010094223089-oozie-oozi-W]

What we want is a developer to create a workflow and what this workflow can be access through the Oozie API by a external service.

Question

1) Where is this authorized being controlled in Oozie?

2) How can auth being change for other users/service account to run workflows?

Error:

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

WWW-Authenticate: Negotiate

Set-Cookie: hadoop.auth=; Path=/; HttpOnly

Content-Type: text/html;charset=utf-8

Content-Length: 997

Date: Wed, 26 Oct 2016 13:03:51 GMT

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

WWW-Authenticate: Negotiate YGYGCSqGSIb3EgECAgIAb1cwVaADAgEFoQMCAQ+iSTBHoAMCAReiQAQ+Ar4Y2B5Cx+YJTHB3R7olNUPQNMZTqZfdTAoO0RRLuA20m9LgfB3LpyRaGwuPRF3tio3FREDxUJ7TQoZPdm8=

Set-Cookie: hadoop.auth="u=XXXX&p=XXXX@XX.XX&t=kerberos&e=1477523031321&s=OKOKcrY3HZXdjhNQKpEr4FXiLSQ="; Path=/; HttpOnly

oozie-error-code: E0508

oozie-error-message: E0508: User [XXXX] not authorized for WF job [0000012-161010094223089-oozie-oozi-W]

Content-Type: text/html;charset=utf-8

Content-Length: 951

Date: Wed, 26 Oct 2016 13:03:51 GMT

5 REPLIES 5

Mentor

@Anders Boje

Have a look at this document it should give you ideas

Solution

Contributor

@Geoffrey Shelton Okot this don't change anything.

Is it possible to create a workflow and add other users on creation.

Mentor

@Anders Boje

You will need to install a free version of LDAP like freeIPA link and configure service accounts to whom you attach the LDAP groups to execute the Oozie jobs just like adding role to a user.

See link

Contributor

The link don't exist.

In HUE you enable another user "reader" access and then everything works. I just want to know how I can do something similar in Hortonworks' Oozie.

Mentor

Sorry here it is FreeIPA