Recently installed cluster that is kerberised - I'm now attempting to execute a trivial job (i.e., a hive 'show tables;' .hql script) using the Hue scheduler and the job fails.
I am getting a warning about contacting the principal-
2019-05-05 14:22:09,222 WARN org.apache.oozie.action.hadoop.HadoopTokenHelper: SERVER[machine.fqdn] USER[user.name] GROUP[-] TOKEN APP[My Workflow] JOB[0000000-190505132655690-oozie-oozi-W] ACTION[0000000-190505132655690-oozie-oozi-W@hive-d3b0] An error happened while trying to get server principal. Getting it from service principal anyway. java.lang.IllegalArgumentException: Does not contain a valid host:port authority: yarnRM
It's also a bit unclear to me who the job is running as -
2019-05-05 14:22:09,367 WARN org.apache.oozie.command.wf.ActionStartXCommand: SERVER[machine.fqdn] USER[user.name] GROUP[-] TOKEN APP[My Workflow] JOB[0000000-190505132655690-oozie-oozi-W] ACTION[0000000-190505132655690-oozie-oozi-W@hive-d3b0] Error starting action [hive-d3b0]. ErrorType [TRANSIENT], ErrorCode [JA009], Message [JA009: Permission denied: user=oozie, access=EXECUTE, inode="/user/hue/oozie/workspaces/hue-oozie-1557062494.07":user.name:hue:drwxrwx---
I'm expecting it to run as user.name since the cluster is secured, but it seems to show a permissions conflict with the Oozie user not having execute privileges.
I'm sure there's some simple config I've failed to enact, any advice appreciated.
NB: I've replaced my username with user.name in the log.
Hi @mmcd ,
You would need to provide either hcat or hive2 credentials within your hive or hive2 action (respectively), as now that your cluster is kerberized, the oozie hive or hive2 action needs to authenticate:
Since you mentioned the Hue scheduler, here is some more information about Hue, it's a little dated (2014) and specific to only hcat, but the idea is to check the appropriate credential in the advanced properties of the action:
Robert Justice, Technical Resolution Manager