Cannot kill or suspend oozie coordinator job

3
votes

I submitted oozie coordinator job under user "runner" when I try either kill or suspend I am getting following error message:

    [runner@hadooptools ~]$ oozie job -oozie http://localhost:11000/oozie -kill 0000005-140722025226945-oozie-oozi-C
Error: E0509 : E0509: User [?] not authorized for Coord job [0000005-140722025226945-oozie-oozi-C]

From the logs on oozie server I see following message:

2014-07-25 03:10:07,324  INFO oozieaudit:539 - USER [runner], GROUP [null], APP [cron-coord], JOBID [0000005-140722025226945-oozie-oozi-C], OPERATION [start], PARAMETER [null], STATUS [SUCCESS], HTTPCODE [200], ERRORCODE [null], ERRORMESSAG
E [null]

Time to time even user under I issue the command is not logged correctly.

I am using CentOS 6.3 and Oozie Oozie client build version: 4.0.0.2.0.6.0-101, Oozie server build version: 4.0.0.2.0.6.0-101

I am not even able to stop it under the user oozie who runs the server. Under the user who submitted job I am not able to do suspend, kill, etc. I am able to just perform submit run which passes the flow or info.

Any hints/tricks or do I missconfigured something obvious?

UPDATE: Security settings for the instance I am using.

    <property>
    <name>oozie.authentication.type</name>
    <value>simple</value>
  </property>
    <property>
        <name>oozie.authentication.simple.anonymous.allowed</name>
        <value>true</value>
    </property>

My conf/adminusers.txt contains:

# Admin Users, one user by line
runner

Hadoop core-site.xml

    <property>
    <name>hadoop.security.authentication</name>
    <value>simple</value>
  </property>
    <property>
    <name>hadoop.proxyuser.oozie.groups</name>
    <value>users</value>
  </property>

Where runner is a member of users group. According to Oozie documentation: Oozie has a basic authorization model:

  • Users have read access to all jobs
  • Users have write access to their own jobs
  • Users have write access to jobs based on an Access Control List (list of users and groups)
  • Users have read access to admin operations Admin
  • Users have write access to all jobs Admin users have write access to admin operations

Did I overlooked something in configuration? Do I need to specify/configure something like this:

Pseudo/simple authentication requires the user to specify the user name on the request, this is done by the PseudoAuthenticator class by injecting the user.name parameter in the query string of all requests. The user.name parameter value is taken from the client process Java System property user.name .
2
oozieoozie-coordinator
Are the oozie job files under /user/runner/... in hdfs? - Ramanan
yes, oozie.coord.application.path=${nameNode}/user/${user.name}/${examplesRoot}/apps/cron from job properties where user.name is set to runner - jaksky

2 Answers

1
votes

Old question, but eh, I got the same problem. Seems related to https://issues.apache.org/jira/browse/OOZIE-800

Just rm ~/.oozie-auth-token before issuing the oozie command solved it for me.

0
votes

Temporarily resolved by disable security model. Following setting disabled security model and then all worked as expected.

<property>
    <name>oozie.service.AuthorizationService.security.enabled</name>
    <value>false</value>
    <description>
        Specifies whether security (user name/admin role) is enabled or not.
        If disabled any user can manage Oozie system and manage any job.
    </description>
</property>

Will look deeper how to correctly solve this but as a temporary solution or for development this works fine.