This may help clarify the use of Isilon proxy users on a kerberized Isilon.

You need to create a proxy user for the service and then add users or groups that need to run jobs to that proxy user. Lets take a hive job as an example.

 

A Kerberos user: hdpuser3 tries to run a hive query, no proxy user exists. You will see the following errors and log entries.

 

[hdpuser3@hdp4 ~]$ kinit

Password for hdpuser3@FOO.COM:

[hdpuser3@hdp4 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_49003

Default principal: hdpuser3@FOO.COM

Valid starting     Expires            Service principal

05/02/16 14:53:51  05/03/16 00:52:08  krbtgt/FOO.COM@FOO.COM

renew until 05/09/16 14:53:51

 

Let’s run a hive job:

[hdpuser3@hdp4 ~]$ hive

WARNING: Use “yarn jar” to launch YARN applications.

 

Logging initialized using configuration in file:/etc/hive/2.3.4.0-3485/0/hive-log4j.properties

hive> SHOW TABLES;

FAILED: SemanticException MetaException(message:org.apache.hadoop.ipc.RemoteException(java.lang.SecurityException): User hive/hdp6.foo.com cannot impersonate User hdpuser3@FOO.COM Reason: Proxyuser “hive” Members do not intersect)

hive>

 

Isilon log:

2016-04-25T17:23:17-04:00 <30.6> rip1-1 hdfs[93963]: [hdfs] RPC V9  user: hdpuser3@FOO.COM exception: java.lang.SecurityException cause: User hive/hdp6.foo.com cannot impersonate User hdpuser3@FOO.COM Reason: Proxyuser “hive” Members do not intersect

 

 

 

Adding a Proxy User; hive and adding hdpuser3 to that proxy user will resolve this issue.

 

 

rip1-1# isi hdfs proxyusers members list –zone=horton2 hive

Type  Name

———————-

user  hdpuser3

———————-

Total: 1

 

 

hive> SHOW TABLES;

OK

passwords

Time taken: 1.612 seconds, Fetched: 1 row(s)

hive>