Impersonation related error after configuring impersonation in MapR and Hadoop ecosystem

Document created by sreedhar Employee on Feb 1, 2016Last modified by sreedhar Employee on Feb 1, 2016
Version 3Show Document
  • View in full screen mode

Author: Sreedhar Alagonda

 

Original Publication Date: October 26, 2015

 

After configuring impersonation in MapR and the desired ecosystem components per the procedure documented by MapR an impersonation error similar to the one below may be seen. This error can occur when a process running as the 'mapr' user attempts to impersonate another user, for example in Hue, Hiveserver2 or Oozie.

JA009: User: mapr is not allowed to impersonate mapr

The following error is seen when impersonation is not properly configured on the Jobtracker/ResourceManager.

JA009: User: mapr is not allowed to impersonate mapr  

Caused by: org.apache.hadoop.ipc.RemoteException: User: mapr is not allowed to impersonate mapr
     at org.apache.hadoop.ipc.Client.call(Client.java:1142)

The most common cause of this exception is the process user, 'mapr' above is not properly configured on the JobTracker or ResourceManager nodes for impersonation.  The user must be configured to permit impersonation in the corresponding service configuration file. 

 

To setup impersonation for the desired process user that will perform impersonation use the following procedure.

 

Note:  In the following steps the user 'mapr' is impersonation user. Please replace the impersonation user with the respective user that will be running the corresponding process like Oozie, Hue, Hiveserver2 in your environment. In this example those processes are running under the 'mapr' user so 'mapr' is responsible for impersonating actions on behalf of other users.

 

On all Jobtracker nodes edit /opt/mapr/hadoop/hadoop-0.20.2/conf/core-site.xml and add the two properties below:

 

<configuration> 
     <property>
               <name>hadoop.proxyuser.mapr.groups</name>
               <value>*</value>
     </property>
     <property>
               <name>hadoop.proxyuser.mapr.hosts</name>
               <value>*</value>
     </property>
</configuration>

 

The value for 'hadoop.proxyuser.mapr.groups' can be left as '*' to allow impersonation of all groups or can be replaced with a comma separated list of groups that can be impersonated. 

  1. Add the above change to core-site.xml on all JobTracker nodes.
  2. Restart the active JobTracker using either the MCS or the maprcli node services command.

 

For YARN deployments on all ResourceManager nodes edit /opt/mapr/hadoop/hadoop-2.4.1/etc/hadoop/core-site.xml and add the two properties below:

 

<configuration> 
     <property>
          <name>hadoop.proxyuser.mapr.groups</name>
          <value>*</value>
     </property>
     <property>
          <name>hadoop.proxyuser.mapr.hosts</name>
          <value>*</value>
     </property>
</configuration>

 

  1. Add the above change to core-site.xml on all ResourceManager nodes.
  2. Restart the active ResourceManager using either the MCS or the maprcli node services command.

 

For more information on setting up impersonation with MapR and the necessary ecosystem components please search for 'impersonation' on the MapR Documentation site http://doc.mapr.com

1 person found this helpful

Attachments

    Outcomes