Support Questions
Find answers, ask questions, and share your expertise

Oozie Shell Script with Kerberos


I am trying to get a shell script in ozzie to run (runs a pig script in a loop), but am running into some issues. When I run the script I get the following error:

ERROR org.apache.pig.backend.hadoop.executionengine.tez.TezJob - Cannot submit DAG
java.lang.RuntimeException: org.apache.hadoop.ipc.RemoteException( Delegation Token can be issued only with kerberos or web authentication

With some searching I found this thread ( which @smanjee had this advice which was very helpful:

Shell Action

  • This options requires client to be installed on all nodes
  • Store Keytabs on HDFS
    • Secure via Ranger/ACL/Chmod
  • Use file tab to identify hdfs keytab location
    • When oozie shell action runs it will download to local yarn directory
    • K-init inside shell script

So I need to put a keytab onto HDFS and include it in the oozie job and kinit on start up of my script. My questions really come down to what user should you use? The above advice seems to indicate the HDFS user, but would a service account be a better choice? If a service account what permission are required for Oozie?