Support Questions
Find answers, ask questions, and share your expertise

Oozie Permissions Dnied on Trivial Job with CDH6

Oozie Permissions Dnied on Trivial Job with CDH6

Explorer

Recently installed cluster that is kerberised - I'm now attempting to execute a trivial job (i.e., a hive 'show tables;' .hql script) using the Hue scheduler and the job fails.

 

I am getting a warning about contacting the principal-

2019-05-05 14:22:09,222 WARN org.apache.oozie.action.hadoop.HadoopTokenHelper: SERVER[machine.fqdn] USER[user.name] GROUP[-] TOKEN[] APP[My Workflow] JOB[0000000-190505132655690-oozie-oozi-W] ACTION[0000000-190505132655690-oozie-oozi-W@hive-d3b0] An error happened while trying to get server principal. Getting it from service principal anyway.
java.lang.IllegalArgumentException: Does not contain a valid host:port authority: yarnRM

It's also a bit unclear to me who the job is running as -

2019-05-05 14:22:09,367 WARN org.apache.oozie.command.wf.ActionStartXCommand: SERVER[machine.fqdn] USER[user.name] GROUP[-] TOKEN[] APP[My Workflow] JOB[0000000-190505132655690-oozie-oozi-W] ACTION[0000000-190505132655690-oozie-oozi-W@hive-d3b0] Error starting action [hive-d3b0]. ErrorType [TRANSIENT], ErrorCode [JA009], Message [JA009: Permission denied: user=oozie, access=EXECUTE, inode="/user/hue/oozie/workspaces/hue-oozie-1557062494.07":user.name:hue:drwxrwx---

I'm expecting it to run as user.name since the cluster is secured, but it seems to show a permissions conflict with the Oozie user not having execute privileges.

 

I'm sure there's some simple config I've failed to enact, any advice appreciated.

 

 

NB: I've replaced my username with user.name in the log.

2 REPLIES 2

Re: Oozie Permissions Dnied on Trivial Job with CDH6

Rising Star

Hi @mmcd ,

 

You would need to provide either hcat or hive2 credentials within your hive or hive2 action (respectively), as now that your cluster is kerberized, the oozie hive or hive2 action needs to authenticate:

 

https://oozie.apache.org/docs/4.2.0/DG_ActionAuthentication.html

 

Since you mentioned the Hue scheduler, here is some more information about Hue, it's a little dated (2014) and specific to only hcat, but the idea is to check the appropriate credential in the advanced properties of the action:

 

http://gethue.com/hadoop-tutorial-oozie-workflow-credentials-with-a-hive-action-with-kerberos/



Robert Justice, Technical Resolution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Re: Oozie Permissions Dnied on Trivial Job with CDH6

Guru
Hi,

If you can share your workflow.xml and job.properties files, that can help us to see if your workflow is complete or not.

Cheers
Eric