mapreduce.job.acl-view-job does not apply to Oozie Launcher job in CDH6

mapreduce.job.acl-view-job does not apply to Oozie Launcher job in CDH6

CDH users commonly use YARN setting mapreduce.job.acl-view-job to control which users have access to view YARN application logs through Resource Manager or JobHistory Server web UI. If you have below setting under CM > YARN > Configuration

It will allow “user2” to be able to view all MapReduce Job logs through Resource Manager or JobHistory Server web UI, regardless if the jobs are triggered by “user2” or not.

However, this feature is not longer working in CDH 6.x for Oozie Launcher jobs, due to a major change to the way Oozie Launcher runs in a cluster (Oozie Launcher will have its own AM in CDH6). If “user2” tries to access Oozie Launcher log via Resource Manager or JobHistory Server web UI, below error will be produced:

If you check the Resource Manager log, below error can be seen:

Caused by: org.apache.hadoop.yarn.exceptions.YarnException: User user2 does not have privilege to see this application application_1593732065451_0001
	at org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getApplicationAttempts(ClientRMService.java:445)
	at org.apache.hadoop.yarn.server.resourcemanager.webapp.RMAppBlock.getApplicationAttemptsReport(RMAppBlock.java:209)
	at org.apache.hadoop.yarn.server.webapp.AppBlock$2.run(AppBlock.java:154)
	at org.apache.hadoop.yarn.server.webapp.AppBlock$2.run(AppBlock.java:150)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1875)
	... 68 more

This is because in CDH6, Oozie does not use mapreduce.job.acl-view-job from YARN level anymore, hence it has no effect to Oozie jobs. However, Oozie represents a different approach when handling ACL settings, which needs to be set at Oozie level.

To fix the issue, follow below steps:

  1. Go to CM > Oozie > Configuration page
  2. Locate setting “Oozie Server Advanced Configuration Snippet (Safety Valve) for action-conf/default.xml”
  3. Enter below settings (change accordingly based on your requirement):
  1. Then restart Oozie and “Deploy Client Configuration”

Now, every time when Oozie runs an action, this configuration will be read and applied.

Hopefully above can help you to resolve your issue.

Leave a Reply

Your email address will not be published.

My new Snowflake Blog is now live. I will not be updating this blog anymore but will continue with new contents in the Snowflake world!