Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Oozie Permissions Dnied on Trivial Job with CDH6

mmcd
Explorer

Created on ‎05-05-2019 06:53 AM - edited ‎09-16-2022 07:22 AM

Recently installed cluster that is kerberised - I'm now attempting to execute a trivial job (i.e., a hive 'show tables;' .hql script) using the Hue scheduler and the job fails.

 

I am getting a warning about contacting the principal-

2019-05-05 14:22:09,222 WARN org.apache.oozie.action.hadoop.HadoopTokenHelper: SERVER[machine.fqdn] USER[user.name] GROUP[-] TOKEN[] APP[My Workflow] JOB[0000000-190505132655690-oozie-oozi-W] ACTION[0000000-190505132655690-oozie-oozi-W@hive-d3b0] An error happened while trying to get server principal. Getting it from service principal anyway.
java.lang.IllegalArgumentException: Does not contain a valid host:port authority: yarnRM

It's also a bit unclear to me who the job is running as -

2019-05-05 14:22:09,367 WARN org.apache.oozie.command.wf.ActionStartXCommand: SERVER[machine.fqdn] USER[user.name] GROUP[-] TOKEN[] APP[My Workflow] JOB[0000000-190505132655690-oozie-oozi-W] ACTION[0000000-190505132655690-oozie-oozi-W@hive-d3b0] Error starting action [hive-d3b0]. ErrorType [TRANSIENT], ErrorCode [JA009], Message [JA009: Permission denied: user=oozie, access=EXECUTE, inode="/user/hue/oozie/workspaces/hue-oozie-1557062494.07":user.name:hue:drwxrwx---

I'm expecting it to run as user.name since the cluster is secured, but it seems to show a permissions conflict with the Oozie user not having execute privileges.

 

I'm sure there's some simple config I've failed to enact, any advice appreciated.

 

 

NB: I've replaced my username with user.name in the log.

2,243 Views
0 Kudos
2 REPLIES 2

Robert Justice
Rising Star

Created ‎05-06-2019 09:52 AM

Hi @mmcd ,

 

You would need to provide either hcat or hive2 credentials within your hive or hive2 action (respectively), as now that your cluster is kerberized, the oozie hive or hive2 action needs to authenticate:

 

https://oozie.apache.org/docs/4.2.0/DG_ActionAuthentication.html

 

Since you mentioned the Hue scheduler, here is some more information about Hue, it's a little dated (2014) and specific to only hcat, but the idea is to check the appropriate credential in the advanced properties of the action:

 

http://gethue.com/hadoop-tutorial-oozie-workflow-credentials-with-a-hive-action-with-kerberos/



Robert Justice, Technical Resolution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

2,223 Views
0 Kudos

EricL
Guru

Created ‎05-25-2019 06:38 PM

Hi,

If you can share your workflow.xml and job.properties files, that can help us to see if your workflow is complete or not.

Cheers
Eric
2,180 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
What's New @ Cloudera
Open Sourcing Cloudera’s ML Runtimes - why it matters to customers?
View More Announcements