Reply
New Contributor
Posts: 1
Registered: ‎08-27-2013

Unable to impersonate users when using HiveServer2

I have a server app that uses impersonation to run Hive queries on behalf of users.  Every query that I execute is wrapped in a UserGroupInformation.doAs call.  When I run that server app on CDH4 set up for HiveServer2, it looks like HiveServer2 impersonation always runs the query as my server app's security principal, rather than as the principal that I am proxying.

 

I have configured core-site.xml to allow my server app to proxy users.  My app always executes queries using the following general sequence,wrapped inside a doAs:

conf = new HiveConf(Driver)
driver = new Driver(conf)
state = new SessionState(conf)
configure the session state
SessionState.start(state)
driver.compile and drriver.execute
or driver.run

In the Hive warehouse, all databases and tables seem to be created with the owner set to the server app's userid, rather than the impersonated user's userid.  When I prepare data for a new table, I load the data into a directory created in the user's temporary folder (/user/{username}/tmp/..., and execute a query to load the data into a new Hive table.  I get a permission error when Hive attempts to move the data into the warehouse, because it is executing the move operation as the server app rather than as the proxied user, and is not allowed to write to the user's temporary directory.

Posts: 1,896
Kudos: 433
Solutions: 303
Registered: ‎07-31-2013

Re: Unable to impersonate users when using HiveServer2

Hello,

The way you're invoking the Driver/etc. internal classes is making your code bypass the HS2 altogether and run its own jobs. If you wish to talk via HS2, you would need to use its JDBC Driver or Thrift (TCLIService) APIs.