question Hive server 2 authentication with AD issues in Archives of Support Questions (Read Only)

Hive server 2 authentication with AD issues

samant_thakur — Thu, 30 Nov 2017 04:33:04 GMT

Hi,

When I tried to config hive server 2 authentication with AD. I am getting below error in beeline

Beeline version 1.2.1000.2.6.0.3-8 by Apache Hive beeline> !connect jdbc:hive2://local host:10000 Connecting to jdbc:hive2://local host:10000 Enter username for jdbc:hive2://localhost:10000: XXXX

Enter password for jdbc:hive2://feabigrpd01:10000: **********

Connected to: Apache Hive (version 1.2.1000.2.6.0.3-8) Driver: Hive JDBC (version 1.2.1000.2.6.0.3-8) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://local host:10000>

0: jdbc:hive2://localhost:10000> show databases ;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user XXXX does not have [USE] privilege on [null] (state=42000,code=40000)

1. I have configured below properties

hive.server2.authentication =LDAP

hive.server2.authentication.ldap.url=ldap://XXX.co.XX:389

hive.server2.authentication.ldap.Domain=dc=XXX,dc=co,dc=XX

2. hive server2 logs error :/var/log/hive

ERROR [HiveServer2-Handler-Pool: Thread-71]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]]] at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)

3. Ambari Hive view authentication error :

Service checks completed

HDFS test

HiveServer test

ATS test

User Home Directory test

Issues detected

Hive authentication failed

4. I have got ranger policy in place which gives the permission to user XXX to all the directories in HDFS & select access to all tables.

Please assist me to resolve this issue. Thanks in advance.

Re: Hive server 2 authentication with AD issues

manish1 — Thu, 30 Nov 2017 06:21:39 GMT

@Samant Thakur

Please check Ranger Audit first to find out whether it was blocked by Ranger or not. If it is being blocked then it must be the Hive policy, which is blocking you. Please let me know.

Re: Hive server 2 authentication with AD issues

samant_thakur — Sat, 02 Dec 2017 22:21:19 GMT

@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.

Thanks.hive-ad-issue.png

Re: Hive server 2 authentication with AD issues

manish1 — Sun, 03 Dec 2017 02:36:53 GMT

@Samant Thakur

Yes, it is very annoying when User ID is in upper or mixed case, which is very normal in AD, which is not case-sensitive. But, linux is case-sensitive and so is Ranger. You can remove case-sensitivity in Ranger. But, it is ideal to do it during the installation. You can refer to this article:

https://community.hortonworks.com/content/kbentry/145832/ranger-user-sync-issues-due-to-case-difference.html

PS: As usual, If you think my response helped you to find a solution then please accept my response as the best answer.