【Oozie】SSH Workflow報錯之Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

【問題】添加workflow，拖拽一個ssh，user and host填寫USER@HOST，ssh command填寫一個最簡單的ll命令，保存，submit，報錯：
Caused by: java.io.IOException: Not able to perform operation [ssh -o PasswordAuthentication=no -o KbdInteractiveDevices=no -o StrictHostKeyChecking=no -o ConnectTimeout=20 USER@HOST  mkdir -p oozie-oozi/***-oozie-oozi-W/ssh-bd59--ssh/ ] | ErrorStream: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    at org.apache.oozie.action.ssh.SshActionExecutor.executeCommand(SshActionExecutor.java:342)
    at org.apache.oozie.action.ssh.SshActionExecutor.setupRemote(SshActionExecutor.java:375)
    at org.apache.oozie.action.ssh.SshActionExecutor$1.call(SshActionExecutor.java:208)
    at org.apache.oozie.action.ssh.SshActionExecutor$1.call(SshActionExecutor.java:206)
    at org.apache.oozie.action.ssh.SshActionExecutor.execute(SshActionExecutor.java:550)
    ... 11 more
上述所嘗試的不是Oozie server所在的節點，但是在Oozie server所在的節點嘗試以上操作也是報相同的錯誤
上述所嘗試的是通過hdfs用戶登陸的hue之後提交的workflow，但是用oozie和root用戶登陸hue提交的workflow也是報相同的錯誤

【辦法一】看網上有人說打開cloudera manager頁面，選擇oozie service，進入配置，搜索系統用戶，從oozie修改爲USER，搜索系統組，從oozie修改爲USER，但是我沒成功，報錯：
Workflow submission failed
Failed to create deployment directory: StandbyException: Operation category READ is not supported in state standby. Visit https://s.apache.org/sbnn-error (error 403)

【辦法二】Oozie server will run the SSH as oozie user to run the ssh as. Enable password-less login for oozie user. Create SSH keys for oozie user and copy its public key to the authorized_keys of cloudera user. 因此：
（1）在oozie server所在的機器上
$su oozie
$whoami
oozie
$ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/*/oozie/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /*/oozie/.ssh/id_dsa.
Your public key has been saved in /*/oozie/.ssh/id_dsa.pub.
$cat /*/oozie/.ssh/id_dsa.pub
$vi /*/USER/.ssh/authorized_keys
將cat的內容貼進去
（2）在其他機器上
因爲oozie server只配置了一個實例，所以其他機器$vi /*/USER/.ssh/authorized_keys，將cat的內容貼進去即可

【測試】以USER用戶登陸hue，提交workflow也是USER@HOST，執行命令爲ls、mkdir、sh腳本均成功

【貼士一】su oozie沒反應，是因爲cat /*/passwd，顯示
oozie:x:*:*:Oozie User:/*/oozie:/bin/false
其中的/bin/false是最嚴格的禁止login選項，一切服務都不能用，需要修改爲/bin/bash
等到配置好oozie的免密登陸後再改回/bin/false

【貼士二】
訪問http://oozie.apache.org/docs/4.1.0/DG_SshActionExtension.html，發現官方文檔中有一句話：
The oozie.action.ssh.allow.user.at.host property, in the oozie-site.xml configuration, indicates if an alternate user than the one submitting the job can be used for the ssh invocation. By default this property is set tot true .
進入cloudera manager，進入oozie服務，點擊配置，搜索oozie-site.xml，點擊加號，名稱oozie.action.ssh.allow.user.at.host，值false
這樣用除了USER之外的其他用戶登陸hue，並提交用戶爲USER的ssh workflow時，點擊submit的時候，發現會報錯：
org.apache.oozie.action.ActionExecutorException: user mismatch between oozie user [oozie] and ssh host [USER@HOST]