This may help clarify the use of Isilon proxy users on a kerberized Isilon.
You need to create a proxy user for the service and then add users or groups that need to run jobs to that proxy user. Lets take a hive job as an example.
A Kerberos user: hdpuser3 tries to run a hive query, no proxy user exists. You will see the following errors and log entries.
[hdpuser3@hdp4 ~]$ kinit
Password for hdpuser3@FOO.COM:
[hdpuser3@hdp4 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_49003
Default principal: hdpuser3@FOO.COM
Valid starting Expires Service principal
05/02/16 14:53:51 05/03/16 00:52:08 krbtgt/FOO.COM@FOO.COM
renew until 05/09/16 14:53:51
Let’s run a hive job:
[hdpuser3@hdp4 ~]$ hive
WARNING: Use “yarn jar” to launch YARN applications.
Logging initialized using configuration in file:/etc/hive/2.3.4.0-3485/0/hive-log4j.properties
hive> SHOW TABLES;
FAILED: SemanticException MetaException(message:org.apache.hadoop.ipc.RemoteException(java.lang.SecurityException): User hive/hdp6.foo.com cannot impersonate User hdpuser3@FOO.COM Reason: Proxyuser “hive” Members do not intersect)
hive>
Isilon log:
2016-04-25T17:23:17-04:00 <30.6> rip1-1 hdfs[93963]: [hdfs] RPC V9 user: hdpuser3@FOO.COM exception: java.lang.SecurityException cause: User hive/hdp6.foo.com cannot impersonate User hdpuser3@FOO.COM Reason: Proxyuser “hive” Members do not intersect
Adding a Proxy User; hive and adding hdpuser3 to that proxy user will resolve this issue.
rip1-1# isi hdfs proxyusers members list –zone=horton2 hive
Type Name
———————-
user hdpuser3
———————-
Total: 1
hive> SHOW TABLES;
OK
passwords
Time taken: 1.612 seconds, Fetched: 1 row(s)
hive>