mapreduce.job.acl-view-job does not apply to Oozie Launcher job in CDH6
Cloudera

mapreduce.job.acl-view-job does not apply to Oozie Launcher job in CDH6

Cloudera

CDH users commonly use YARN setting mapreduce.job.acl-view-job to control which users have access to view YARN application logs through Resource Manager or JobHistory Server web UI. If you have below setting under CM > YARN > Configuration

It will allow “user2” to be able to view all MapReduce Job logs through Resource Manager or JobHistory Server web UI, regardless if the jobs are triggered by “user2” or not.

However, this feature is not longer working in CDH 6.x for Oozie Launcher jobs, due to a major change to the way Oozie Launcher runs in a cluster (Oozie Launcher will have its own AM in CDH6). If “user2” tries to access Oozie Launcher log via Resource Manager or JobHistory Server web UI, below error will be produced:

If you check the Resource Manager log, below error can be seen:

Caused by: org.apache.hadoop.yarn.exceptions.YarnException: User user2 does not have privilege to see this application application_1593732065451_0001
	at org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getApplicationAttempts(ClientRMService.java:445)
	at org.apache.hadoop.yarn.server.resourcemanager.webapp.RMAppBlock.getApplicationAttemptsReport(RMAppBlock.java:209)
	at org.apache.hadoop.yarn.server.webapp.AppBlock$2.run(AppBlock.java:154)
	at org.apache.hadoop.yarn.server.webapp.AppBlock$2.run(AppBlock.java:150)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1875)
	... 68 more

This is because in CDH6, Oozie does not use mapreduce.job.acl-view-job from YARN level anymore, hence it has no effect to Oozie jobs. However, Oozie represents a different approach when handling ACL settings, which needs to be set at Oozie level.

To fix the issue, follow below steps:

  1. Go to CM > Oozie > Configuration page
  2. Locate setting “Oozie Server Advanced Configuration Snippet (Safety Valve) for action-conf/default.xml”
  3. Enter below settings (change accordingly based on your requirement):
  1. Then restart Oozie and “Deploy Client Configuration”

Now, every time when Oozie runs an action, this configuration will be read and applied.

Hopefully above can help you to resolve your issue.

Other posts that you might also be interested:

  1. “Client cannot authenticate via:[TOKEN, KERBEROS]” error in Oozie DistCp Action
  2. Oozie Hive2 Action Failed with Error: “HiveSQLException: Failed to execute session hooks”
  3. Oozie SSH Action Failed With “externalId cannot be empty” Error
  4. Oozie Spark Actions Fail with Error “Spark config without ‘=’: –conf”
  5. Oozie SSH Action Does Not Support Chained Commands – OOZIE-1974
  6. PerfLogger Missing for Hive in CDH6

Powered by YARPP.

Leave a Reply

Your email address will not be published.

My new Snowflake Blog is now live. I will not be updating this blog anymore but will continue with new contents in the Snowflake world!