Secure Impresonation Job Execution Error - User is not allowed to impresonate

Problem

When executing Datameer jobs using Secure Impersonation, the following error message is observed in the job logs:

8:37:46.724 PM INFO org.apache.hadoop.ipc.Server
Socket Reader #1 for port 8032: readAndProcess from client 10.123.1.123 threw exception [org.apache.hadoop.security.authorize.AuthorizationException: User: datameer/myhostname.mydomain.com@MYREALM.COM is not allowed to impersonate user1234]

 

Cause

The following two parameters were not set in the core-site.xml configuration for the Hadoop Cluster as documented (Secure Impersonation with Datameer).

hadoop.proxyuser.<USERNAME>.groups
hadoop.proxyuser.<USERNAME>.hosts

The <USERNAME> variable should match the user account that the Datameer application is started with. For the rest of this article, this user will be assumed to be "datameer". 

Alternatively, these values are set in the core-site.xml file but the user being impersonated is not a member of the configured groups or the Datameer server is not configured as one of the configured hosts. 

 

Solution

To resolve this issue, add/update the following two parameters in the core-site.xml configuration for the Hadoop cluster with appropriate groups and hosts settings:

hadoop.proxyuser.datameer.groups
hadoop.proxyuser.datameer.hosts

The most tolerant settings available include the usage of a wildcard for both the groups and hosts. These settings would like this in the standard XML formatting for the core-site.xml file:

<property>
  <name>hadoop.proxyuser.datameer.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.datameer.hosts</name>
  <value>*</value>
</property>

If required, please contact Datameer Support for additional information.