https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105849#M254597 <P><A rel="user" href="https://community.cloudera.com/users/768/pvyas.html" nodeid="768">@pvyas</A></P><P>It looks like you may be running into <A target="_blank" href="https://issues.apache.org/jira/browse/HIVE-4625">HIVE-4625</A>. This bug presents when Hiveserver2 is running with doAs enabled (hive.server2.enable.doAs=true). Best practices for securing the cluster call for running Hiveserver2 with doAs disabled because of the ability for a user to skirt Hive authorization policies in Ranger by going directly to HDFS to read files. Here is a link to the article: <A target="_blank" href="http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/">Best Practices for Hive Authorization</A>. Setting doAs to false should also solve your issue of delegation token errors. This bug is corrected in Hive 1.2 which is included with HDP 2.3 and Hiveserver2 will not ask for delegation tokens from metastore any more.</P> Fri, 22 Jan 2016 00:22:32 GMT emaxwell 2016-01-22T00:22:32Z https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105848#M254596 <P>Hello,</P> <P>Hiveserver2 is non-responsive and the log reveals below error.</P> <P>Cluster is Kerberos enabled and there is no HA on Hive.</P> <PRE>hive.cluster.delegation.token.store.class - org.apache.hadoop.hive.thrift.ZooKeeperTokenStore Ambari V 2.0 HDP V 2.2.4.2 2016-01-19 23:20:18,466 ERROR [HiveServer2-Handler-Pool: Thread-159]: metadata.Hive (Hive.java:getDelegationToken(291 0)) - java.lang.UnsupportedOperationException: getDelegationToken() can be called only in thrift (non local) mode at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDelegationToken(HiveMetaStoreClient.java:1664) at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:90) at com.sun.proxy.$Proxy12.getDelegationToken(Unknown Source) at org.apache.hadoop.hive.ql.metadata.Hive.getDelegationToken(Hive.java:2908) at org.apache.hive.service.cli.CLIService.getDelegationTokenFromMetaStore(CLIService.java:467) at org.apache.hive.service.cli.thrift.ThriftCLIService.getDelegationToken(ThriftCLIService.java:340) at org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(ThriftCLIService.java:321) at org.apache.hive.service.cli.thrift.ThriftCLIService.OpenSession(ThriftCLIService.java:235) at org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1253) at org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1238) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(HadoopThriftA uthBridge20S.java:679) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:206) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)</PRE> <P>Appreciate your help!</P> <P>Regards</P> Fri, 15 May 2026 18:46:23 GMT https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105848#M254596 PranayV 2026-05-15T18:46:23Z https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105849#M254597 <P><A rel="user" href="https://community.cloudera.com/users/768/pvyas.html" nodeid="768">@pvyas</A></P><P>It looks like you may be running into <A target="_blank" href="https://issues.apache.org/jira/browse/HIVE-4625">HIVE-4625</A>. This bug presents when Hiveserver2 is running with doAs enabled (hive.server2.enable.doAs=true). Best practices for securing the cluster call for running Hiveserver2 with doAs disabled because of the ability for a user to skirt Hive authorization policies in Ranger by going directly to HDFS to read files. Here is a link to the article: <A target="_blank" href="http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/">Best Practices for Hive Authorization</A>. Setting doAs to false should also solve your issue of delegation token errors. This bug is corrected in Hive 1.2 which is included with HDP 2.3 and Hiveserver2 will not ask for delegation tokens from metastore any more.</P> Fri, 22 Jan 2016 00:22:32 GMT https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105849#M254597 emaxwell 2016-01-22T00:22:32Z https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105850#M254598 <P>Thank You very much <A rel="user" href="https://community.cloudera.com/users/98/emaxwell.html" nodeid="98">@emaxwell</A>. This helps</P> Sun, 24 Jan 2016 03:37:38 GMT https://community.cloudera.com/t5/Support-Questions/How-to-Fix-quot-getDelegationToken-can-be-called-only-in/m-p/105850#M254598 PranayV 2016-01-24T03:37:38Z