question Using HiveContext with Sentry and proxy-user in Archives of Support Questions (Read Only) https://community.cloudera.com/t5/Archives-of-Support-Questions/Using-HiveContext-with-Sentry-and-proxy-user/m-p/46337#M43629 <P>We are using HiveContext in a Spark Application and running it on a secure cluster with Sentry enabled. We are on CDH 5.8</P><P>&nbsp;</P><P>In our use case we are using proxy-user for impersonation.</P><P>&nbsp;</P><P>spark-submit \</P><P>--class&nbsp;<SPAN>fire.execute.WorkflowExecuteFromFile</SPAN> \<BR />--keytab /disk01/sparkflows/release/fire-ui/sparkflows.keytab \<BR />--proxy-user cloudera --master yarn \<BR />--deploy-mode client \<BR /><SPAN>/disk01/sparkflows/release/fire/core/target/fire-core-1.3.0-jar-with-dependencies.jar</SPAN></P><P>&nbsp;</P><P>We are running into the exception below. Though <SPAN>SPARK-13478 is in CDH 5.7.</SPAN></P><P>&nbsp;</P><P><SPAN><A href="http://archive.cloudera.com/cdh5/cdh/5/spark-1.6.0-cdh5.7.0.releasenotes.html" target="_blank">http://archive.cloudera.com/cdh5/cdh/5/spark-1.6.0-cdh5.7.0.releasenotes.html</A></SPAN></P><P><SPAN><A href="https://issues.apache.org/jira/browse/SPARK-13478" target="_blank">https://issues.apache.org/jira/browse/SPARK-13478</A></SPAN></P><P>&nbsp;</P><P><SPAN>org.apache.hadoop.hive.shims.Hadoop23Shims for Hadoop version 2.6.0-cdh5.7.0</SPAN><SPAN> 16/10/15 12:15:56 INFO hive.metastore: Trying to connect to metastore with URI thrift://venice.hadoop:9083</SPAN><SPAN> 16/10/15 12:15:56 ERROR transport.TSaslTransport: SASL negotiation failure</SPAN><SPAN> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]</SPAN><SPAN> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)</SPAN><SPAN> at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)</SPAN><SPAN> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)</SPAN><SPAN> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)</SPAN><SPAN> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)</SPAN><SPAN> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)</SPAN><SPAN> at java.security.AccessController.doPrivileged(Native Method)</SPAN><SPAN> at javax.security.auth.Subject.doAs(Subject.java:415)</SPAN><SPAN> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1693)</SPAN><SPAN> at </SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>To ensure everything else is good on the cluster, we tested SparkPi. It runs successfully&nbsp;without any issues:</SPAN></P><P>&nbsp;</P><P><SPAN>spark-submit \</SPAN><BR /><SPAN>--class org.apache.spark.examples.SparkPi \</SPAN><BR /><SPAN>--keytab /disk01/sparkflows/release/fire-ui/sparkflows.keytab \</SPAN><BR /><SPAN>--proxy-user cloudera --master yarn \</SPAN><BR /><SPAN>--deploy-mode client \</SPAN><BR /><SPAN>/opt/cloudera/parcels/CDH-5.7.0-1.cdh5.7.0.p0.45/jars/spark-examples-1.6.0-cdh5.7.0-hadoop2.6.0-cdh5.7.0.jar 10</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P>Thanks,</P><P>Jayant</P> Fri, 16 Sep 2022 10:44:33 GMT jayantshekhar 2022-09-16T10:44:33Z Using HiveContext with Sentry and proxy-user https://community.cloudera.com/t5/Archives-of-Support-Questions/Using-HiveContext-with-Sentry-and-proxy-user/m-p/46337#M43629 <P>We are using HiveContext in a Spark Application and running it on a secure cluster with Sentry enabled. We are on CDH 5.8</P><P>&nbsp;</P><P>In our use case we are using proxy-user for impersonation.</P><P>&nbsp;</P><P>spark-submit \</P><P>--class&nbsp;<SPAN>fire.execute.WorkflowExecuteFromFile</SPAN> \<BR />--keytab /disk01/sparkflows/release/fire-ui/sparkflows.keytab \<BR />--proxy-user cloudera --master yarn \<BR />--deploy-mode client \<BR /><SPAN>/disk01/sparkflows/release/fire/core/target/fire-core-1.3.0-jar-with-dependencies.jar</SPAN></P><P>&nbsp;</P><P>We are running into the exception below. Though <SPAN>SPARK-13478 is in CDH 5.7.</SPAN></P><P>&nbsp;</P><P><SPAN><A href="http://archive.cloudera.com/cdh5/cdh/5/spark-1.6.0-cdh5.7.0.releasenotes.html" target="_blank">http://archive.cloudera.com/cdh5/cdh/5/spark-1.6.0-cdh5.7.0.releasenotes.html</A></SPAN></P><P><SPAN><A href="https://issues.apache.org/jira/browse/SPARK-13478" target="_blank">https://issues.apache.org/jira/browse/SPARK-13478</A></SPAN></P><P>&nbsp;</P><P><SPAN>org.apache.hadoop.hive.shims.Hadoop23Shims for Hadoop version 2.6.0-cdh5.7.0</SPAN><SPAN> 16/10/15 12:15:56 INFO hive.metastore: Trying to connect to metastore with URI thrift://venice.hadoop:9083</SPAN><SPAN> 16/10/15 12:15:56 ERROR transport.TSaslTransport: SASL negotiation failure</SPAN><SPAN> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]</SPAN><SPAN> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)</SPAN><SPAN> at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)</SPAN><SPAN> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)</SPAN><SPAN> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)</SPAN><SPAN> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)</SPAN><SPAN> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)</SPAN><SPAN> at java.security.AccessController.doPrivileged(Native Method)</SPAN><SPAN> at javax.security.auth.Subject.doAs(Subject.java:415)</SPAN><SPAN> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1693)</SPAN><SPAN> at </SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>To ensure everything else is good on the cluster, we tested SparkPi. It runs successfully&nbsp;without any issues:</SPAN></P><P>&nbsp;</P><P><SPAN>spark-submit \</SPAN><BR /><SPAN>--class org.apache.spark.examples.SparkPi \</SPAN><BR /><SPAN>--keytab /disk01/sparkflows/release/fire-ui/sparkflows.keytab \</SPAN><BR /><SPAN>--proxy-user cloudera --master yarn \</SPAN><BR /><SPAN>--deploy-mode client \</SPAN><BR /><SPAN>/opt/cloudera/parcels/CDH-5.7.0-1.cdh5.7.0.p0.45/jars/spark-examples-1.6.0-cdh5.7.0-hadoop2.6.0-cdh5.7.0.jar 10</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P>Thanks,</P><P>Jayant</P> Fri, 16 Sep 2022 10:44:33 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Using-HiveContext-with-Sentry-and-proxy-user/m-p/46337#M43629 jayantshekhar 2022-09-16T10:44:33Z Re: Using HiveContext with Sentry and proxy-user https://community.cloudera.com/t5/Archives-of-Support-Questions/Using-HiveContext-with-Sentry-and-proxy-user/m-p/46558#M43630 <P>To close the loop, the problem was on our side!</P><P>&nbsp;</P><P>In this specific scenario we had also set master to "local" in the code in error. Fixing it solved the issue!</P><P>&nbsp;</P><P>Thanks!</P> Fri, 21 Oct 2016 21:02:16 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Using-HiveContext-with-Sentry-and-proxy-user/m-p/46558#M43630 jayantshekhar 2016-10-21T21:02:16Z