Isilon hdfs proxy users

This may help clarify the use of Isilon proxy users on a kerberized Isilon.

You need to create a proxy user for the service and then add users or groups that need to run jobs to that proxy user. Lets take a hive job as an example.


A Kerberos user: hdpuser3 tries to run a hive query, no proxy user exists. You will see the following errors and log entries.


[hdpuser3@hdp4 ~]$ kinit

Password for hdpuser3@FOO.COM:

[hdpuser3@hdp4 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_49003

Default principal: hdpuser3@FOO.COM

Valid starting     Expires            Service principal

05/02/16 14:53:51  05/03/16 00:52:08  krbtgt/FOO.COM@FOO.COM

renew until 05/09/16 14:53:51


Let’s run a hive job:

[hdpuser3@hdp4 ~]$ hive

WARNING: Use “yarn jar” to launch YARN applications.


Logging initialized using configuration in file:/etc/hive/


FAILED: SemanticException MetaException(message:org.apache.hadoop.ipc.RemoteException(java.lang.SecurityException): User hive/ cannot impersonate User hdpuser3@FOO.COM Reason: Proxyuser “hive” Members do not intersect)



Isilon log:

2016-04-25T17:23:17-04:00 <30.6> rip1-1 hdfs[93963]: [hdfs] RPC V9  user: hdpuser3@FOO.COM exception: java.lang.SecurityException cause: User hive/ cannot impersonate User hdpuser3@FOO.COM Reason: Proxyuser “hive” Members do not intersect




Adding a Proxy User; hive and adding hdpuser3 to that proxy user will resolve this issue.



rip1-1# isi hdfs proxyusers members list –zone=horton2 hive

Type  Name


user  hdpuser3


Total: 1






Time taken: 1.612 seconds, Fetched: 1 row(s)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s