Community Articles
Find and share helpful community-sourced technical articles

This is for HDP 2.5 only. If you are seeing the same error HDP 2.6, there could be something else that has failed before this stage. Please check the full log.

 

After enabling Hive LLAP, it fails to start with:

ERROR impl.LlapZookeeperRegistryImpl: Unable to start curator PathChildrenCache. Exception: {}
org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = InvalidACL for /llap-sasl/user-hive
	at org.apache.zookeeper.KeeperException.create(KeeperException.java:121) ~[zookeeper-3.4.6.2.5.0.0-1245.jar:3.4.6-1245--1]
	at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) ~[zookeeper-3.4.6.2.5.0.0-1245.jar:3.4.6-1245--1]
	at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) ~[zookeeper-3.4.6.2.5.0.0-1245.jar:3.4.6-1245--1]
	at org.apache.curator.utils.ZKPaths.mkdirs(ZKPaths.java:232) ~[curator-client-2.7.1.jar:?]
	at org.apache.curator.utils.EnsurePath$InitialHelper$1.call(EnsurePath.java:148) ~[curator-client-2.7.1.jar:?]

Steps to fix:

1. /usr/hdp/current/zookeeper-server/bin/zkCli.sh -server `hostname`

2. create /llap-sasl "" sasl:hive:cdrwa,world:anyone:r

3. create /llap-sasl/user-hive "" sasl:hive:cdrwa,world:anyone:r

4. create /llap-sasl/user-hive/llap0 "" sasl:hive:cdrwa,world:anyone:r

5. create /llap-sasl/user-hive/llap0/workers "" sasl:hive:cdrwa,world:anyone:r

Note: If Kerberos is enabled:

su as zookeeper

kinit as hive

3,644 Views
Comments
New Contributor

Hi Mugdha,

How I can raise a Kerberos ticket from zookeeper as hive?

Thank You

New Contributor

I`m trying do this but get the error.

kinit -kt /etc/security/keytabs/hive.service.keytab hive/HOST_NAME@TFAYD.COM kinit: Keytab contains no suitable keys for hive/HOST_NAME@TFAYD.COM while getting initial credentials

Explorer

klist -kt /etc/security/keytabs/hive.service.keytab to find out exact principal name you need to kinit with.

Contributor

Just a note - on older versions of HDP (2.6.1 and below iirc) it is possible to receive InvalidACL at start time because the LLAP application has failed to start and thus failed to create the path entirely. So, it might be worth checking the LLAP app log if the path does not exist.

Don't have an account?
Version history
Revision #:
3 of 3
Last update:
‎03-04-2020 08:31 PM
Updated by:
 
Contributors
Top Kudoed Authors