Reply
Explorer
Posts: 20
Registered: ‎11-29-2016

Cae HiveServer2 run query as the acutal connect user on yarn?

We are currently running hive(hiveserver2) with sentry, and user impersonation is disable.

When any user connect to hiveserver2 and submit queries, hiveserver2 will submit all the query jobs to yarn, as the same user hive, not the actual the user who connect to hiveserver2.

Is there any way that can let hiveserver2 submit jobs as the actual user?

 

Posts: 343
Topics: 11
Kudos: 51
Solutions: 29
Registered: ‎09-02-2016

Re: Cae HiveServer2 run query as the acutal connect user on yarn?

@lewiss

 

Have you configured Kerberos?

if so

1. klist to see uid for the current ticket

2. ask the actual user to kinit with their uid and password before submit their query 

 

it may help you

 

 

Explorer
Posts: 20
Registered: ‎11-29-2016

Re: Cae HiveServer2 run query as the acutal connect user on yarn?

No, we are running hiveserver2 with ldap and sentry.
Posts: 343
Topics: 11
Kudos: 51
Solutions: 29
Registered: ‎09-02-2016

Re: Cae HiveServer2 run query as the acutal connect user on yarn?

@lewiss

 

ok, but I am using Kerberos for the authentication. 

 

I am not sure but it 'might' be the reason for your issue because, according to the below site

 

  • HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication
  • Kerberos authentication on your cluster. Kerberos prevent a user from bypassing the authorization system and gaining direct access to the underlying data.

https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_sentry.html#concept_h54_ws4_w...

 

 

 

 

Announcements