Reply
Explorer
Posts: 7
Registered: ‎01-17-2017

Failed to validate proxy privilege of hue_hive for administrator

Hi all, today I faced a problem that I'am not able to run Hive when I logged in Hue with LDAP user, except the one that I set for authenticatation (hue_hive), does anyone know how to set proxy privileges for LDAP users? Thanks

I didn't use Kerberos or LDAPS either.2017-01-19 23_45_13-Hue - Editor.jpg

Posts: 642
Topics: 3
Kudos: 105
Solutions: 67
Registered: ‎08-16-2016

Re: Failed to validate proxy privilege of hue_hive for administrator

It sounds like Hive Impersonation is not turned on. Can you verify?

Do you have this same issue from Beeline or other JDBC connections?

hive.server2.enable.doAs=true

https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Imperso...
Explorer
Posts: 7
Registered: ‎01-17-2017

Re: Failed to validate proxy privilege of hue_hive for administrator

Thanks, mbigelow.

hive.server2.enable.impersonation, hive.server2.enable.doAs

is active for "HiveServer2 Default Group", I faced the same problem in Hue and Beeline as well..

 

2017-01-20 00_52_15-root@daiwatest__etc_hue.jpg

And from the Hue server log file I found something.

The password is None for hive.server2.proxy.user, I don't really know is it the underlying reason.

 

[10/Jan/2017 22:05:47 -0800] api WARNING Autocomplete data fetching error: Bad status for request TOpenSessionReq(username=u'administrator', password=None, client_protocol=6, configuration={'hive.server2.proxy.user': u'administrator'}):
TOpenSessionResp(status=TStatus(errorCode=0, errorMessage='Failed to validate proxy privilege of hue_hive for administrator', sqlState='08S01', infoMessages=['*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of hue_hive for administrator:14:13', 'org.apache.hive.service.auth.HiveAuthFactory:verifyProxyAccess:HiveAuthFactory.java:402', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getProxyUser:ThriftCLIService.java:748', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getUserName:ThriftCLIService.java:384', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getSessionHandle:ThriftCLIService.java:411', 'org.apache.hive.service.cli.thrift.ThriftCLIService:OpenSession:ThriftCLIService.java:316', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1253', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1238', 'org.apache.thrift.ProcessFunction:process:ProcessFunction.java:39', 'org.apache.thrift.TBaseProcessor:process:TBaseProcessor.java:39', 'org.apache.hive.service.auth.TSetIpAddressProcessor:process:TSetIpAddressProcessor.java:56', 'org.apache.thrift.server.TThreadPoolServer$WorkerProcess:run:TThreadPoolServer.java:286', 'java.util.concurrent.ThreadPoolExecutor:runWorker:ThreadPoolExecutor.java:1145', 'java.util.concurrent.ThreadPoolExecutor$Worker:run:ThreadPoolExecutor.java:615', 'java.lang.Thread:run:Thread.java:745', '*org.apache.hadoop.security.authorize.AuthorizationException:User: hue_hive is not allowed to impersonate administrator:0:-1'], statusCode=3), sessionHandle=None, configuration=None, serverProtocolVersion=6)

Posts: 642
Topics: 3
Kudos: 105
Solutions: 67
Registered: ‎08-16-2016

Re: Failed to validate proxy privilege of hue_hive for administrator

Does the user 'administrator' exist on the HS2 node, and preferable the rest of the nodes. Does the user have a HDFS user directory, /user/administrator, with full access to it?

These items are what is needed for users to access the cluster and run jobs regardless of the means of authentication.
Explorer
Posts: 7
Registered: ‎01-17-2017

Re: Failed to validate proxy privilege of hue_hive for administrator

The user 'administrator' is LDAP user that I add/sync in Hue, which having HDFS user directory, /user/administrator and having full access.. does it means the user also exist in HS2 node? Should I check it in Linux OS-level? Thanks for your help.

 

 2017-01-20 01_14_13-Hue - File Browser.jpg

Posts: 642
Topics: 3
Kudos: 105
Solutions: 67
Registered: ‎08-16-2016

Re: Failed to validate proxy privilege of hue_hive for administrator

Yes check there. I don't know the HIve source code but I do know that HDFS still does a username/group lookup against the OS.
Explorer
Posts: 7
Registered: ‎01-17-2017

Re: Failed to validate proxy privilege of hue_hive for administrator

My Hive is also Enabled LDAP Authentication, my user 'hue_hive' doesn't exist in Linux but only in LDAP and Hue as well..

I have tried to run query in Hue and beeline with 'hue_hive', it also works. From this point I think my user 'hue_hive' is exist in HS2.

How about the other users in LDAP such as 'administrator'? How does HS2 actually impersonate the user to other services? such as MapReduce and HDFS..?

 

2017-01-20 09_47_23-root@daiwatest__etc_hue.jpg

PVL
Explorer
Posts: 6
Registered: ‎01-16-2017

Re: Failed to validate proxy privilege of hue_hive for administrator

hey were you able to resolve this issue. I am facing the same issue, any help is much appreciated

Highlighted
Posts: 434
Topics: 1
Kudos: 102
Solutions: 54
Registered: ‎04-22-2014

Re: Failed to validate proxy privilege of hue_hive for administrator

@jackyyipjk,

 

The following error indicates that the "hue_hive" user is not authorized to act as a proxy for other users:

Failed to validate proxy privilege of hue_hive for administrator:14:13'

 

Hue authenticates to Hive as "hue_hive" but it must then act as a proxy.  This is restricted by default.

Usually, this can be configured in Cloudera Manager by editing:

HDFS --> Configuration --> Service Wide --> Advanced --> Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml

 

You can add, for instance:

 

hadoop.proxyuser.hue_hive.groups

*

 

XML representiation:


<property>
<name>hadoop.proxyuser.hue_hive.groups</name>
<value>*</value>
</property>

 

The above will allow hue_hive to act as a proxy for any user (including "administrator)

 

Regards,

 

Ben

Announcements