https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128031#M55648 <P>Thx for your reply. I solve the problem by converting the Oozie script to run Hive2.</P> Mon, 06 Mar 2017 20:52:04 GMT alarsen 2017-03-06T20:52:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128029#M55646 <P>I want to run a very simple Oozie workflow with a Hive action on a kerberized cluster.</P><P>The problem is that Hive is using my credential and not the Hive-user as it is doing through Hive View. If I change my access in Ranger for "/apps/..." then the Oozie workflow is working fine. But we don't want personal account to have access for "/apps/..." folder </P><P>How is it possible to achieve do a Hive action where don't have access to "/apps"..." folder on HDFS?</P><P><B>== WORKFLOW.XML == </B></P><PRE>&lt;?xml version="1.0" encoding="UTF-8" standalone="no"?&gt; &lt;workflow-app xmlns="uri:oozie:workflow:0.5" name="oozie_hive_kerberos_test"&gt; &lt;credentials&gt; &lt;credential name="hcat" type="hcat"&gt; &lt;property&gt; &lt;name&gt;hcat.metastore.principal&lt;/name&gt; &lt;value&gt;hive/_HOST@&lt;host&gt;.com&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hcat.metastore.uri&lt;/name&gt; &lt;value&gt;thrift://&lt;host&gt;.com:9083&lt;/value&gt; &lt;/property&gt; &lt;/credential&gt; &lt;/credentials&gt; &lt;start to="hive"/&gt; &lt;action cred="hcat" name="hive"&gt; &lt;hive xmlns="uri:oozie:hive-action:0.6"&gt; &lt;job-tracker&gt;${resourceManager}&lt;/job-tracker&gt; &lt;name-node&gt;${nameNode}&lt;/name-node&gt; &lt;query&gt; use XXXXX; drop table if exists YYYY.ZZZZ; &lt;/query&gt; &lt;/hive&gt; &lt;ok to="end"/&gt; &lt;error to="kill"/&gt; &lt;/action&gt; &lt;kill name="kill"&gt; &lt;message&gt;${wf:errorMessage(wf:lastErrorNode())}&lt;/message&gt; &lt;/kill&gt; &lt;end name="end"/&gt; &lt;/workflow-app&gt; </PRE> <P><STRONG>== ERROR MESSAGE ==</STRONG></P><PRE>SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] Logging initialized using configuration in /data/hadoop/yarn/local/usercache/MY_USER_NAME/appcache/application_1487006380071_0351/container_e94_1487006380071_0351_01_000002/hive-log4j.properties FAILED: SemanticException MetaException(message:org.apache.hadoop.security.AccessControlException: Permission denied: user=MY_USER_NAME, access=EXECUTE, inode="/apps/hive/warehouse/DATABASE.db":hdfs:hdfs:d--------- at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChecker.java:259) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:205) at org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkPermission(RangerHdfsAuthorizer.java:307) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:190) at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1827) </PRE> Mon, 27 Feb 2017 21:34:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128029#M55646 alarsen 2017-02-27T21:34:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128030#M55647 <P>Your "credential" section looks wrong, it should be something like this:</P><PRE> &lt;property&gt; &lt;name&gt;hcat.metastore.uri&lt;/name&gt; &lt;value&gt;thrift://&lt;host&gt;:&lt;port&gt;&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hcat.metastore.principal&lt;/name&gt; &lt;value&gt;hive/&lt;host&gt;@&lt;realm&gt;&lt;/value&gt; &lt;/property&gt;</PRE><P>On every node where Oozie client is installed you can find good examples for all Oozie actions including Hive action in "/usr/hdp/current/oozie-client/doc/examples". Check file called apps/hive/workflow.xml.security under "examples" and modify job.properties to provide your "realm" and other required parameters. Also, in case of hive2 action be sure to test using HS2 server running in binary transport mode. There were some bugs in http mode on kerberized cluster. This applies only to hive2 action, the hive action you are trying should work on both transport modes.</P> Sun, 05 Mar 2017 09:36:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128030#M55647 pminovic 2017-03-05T09:36:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128031#M55648 <P>Thx for your reply. I solve the problem by converting the Oozie script to run Hive2.</P> Mon, 06 Mar 2017 20:52:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128031#M55648 alarsen 2017-03-06T20:52:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128032#M55649 <P style="margin-left: 20px;">Problem solve by using Hive2</P> Mon, 06 Mar 2017 20:52:52 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Avoid-Oozie-running-Hive-action-with-user-credential/m-p/128032#M55649 alarsen 2017-03-06T20:52:52Z