Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

Oozie is using oozie user from hue to login in hbase.

Oozie is using oozie user from hue to login in hbase.

Contributor

Hi everyone,

 

Here is my problem:

 

Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException): org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=oozie/XXXXXXX, scope=default, params=[namespace=default,table=default:XX_XX.,family=v],action=CREATE)

 

And here is my workflow.xml:

 

<workflow-app name="HBASE_TEST" xmlns="uri:oozie:workflow:0.5">
<global>
<job-xml>${hbase_site}</job-xml>
</global>
<credentials>
<credential name="hbase" type="hbase">
</credential>
</credentials>
<start to="java-2e83"/>
<kill name="Kill">
<message>Action failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message>
</kill>
<action name="java-2e83" cred="hbase">
<java>
<job-tracker>${jobTracker}</job-tracker>
<name-node>${nameNode}</name-node>
<main-class>test.beginTest</main-class>
<arg>${hdfs_home}</arg>
<arg>${zookeeper}</arg>
<file>${hbase_site}#${hbase_site}</file>
</java>
<ok to="End"/>
<error to="Kill"/>
</action>
<end name="End"/>
</workflow-app>
 

Curent user in hue is not oozie. And this user can explore Hbase using hbase app. Also it can select any information from Hbase using hive. (current user has all privileges in Hbase). 

 

So, how can I make oozie to use current user to access HBase from java application?

 

P.S. Hue - 3.7.0, HBase - 1.0.0 and CDH is 5.4.7.

 

Regards,

Andrey

 

6 REPLIES 6

Re: Oozie is using oozie user from hue to login in hbase.

Explorer

Hi Andrey,

  Did you add hbase-site.xml in the job path ? I just tried on a 5.4 nightly cluster and it worked fine.

Highlighted

Re: Oozie is using oozie user from hue to login in hbase.

Contributor

Hi Sai-krish,

 

Of course.

 

<global>
<job-xml>${hbase_site}</job-xml>
</global>

 

Are your hbase using ACL?

 

Regards,

Andrey

 

 

Re: Oozie is using oozie user from hue to login in hbase.

Explorer

I'm not familiar with HBASE but I don't see 

<property>
        <name>hbase.coprocessor.master.classes</name>
        <value>org.apache.hadoop.hbase.security.access.AccessController</value>
      </property>

 in hbase-site.xml

Re: Oozie is using oozie user from hue to login in hbase.

Expert Contributor
I don't believe that Oozie does impersonation for hbase credentials at this time. I will get the community manager to move this thread to the Oozie category as they might be able to confirm.

Re: Oozie is using oozie user from hue to login in hbase.

Master Guru
Oozie does fetch tokens on the user's behalf (when asked for credentials): https://github.com/cloudera/oozie/blob/cdh5.4.8-release/core/src/main/java/org/apache/oozie/action/h...

Are you getting the error in the Oozie server (when it attempts to obtain the token) or in your Java action log (when your code tries to use the token)?

Could you also share your Java action code snippet that loads the config and uses it for the API work?

Re: Oozie is using oozie user from hue to login in hbase.

Master Guru
I was able to reproduce this, and have logged a bug upstream:
https://issues.apache.org/jira/browse/OOZIE-2419