Support Questions

Find answers, ask questions, and share your expertise

Ambari Hive View: How to make Hive queries run as current user?

avatar
Expert Contributor

We have a kerberized cluster and just finished configuring the Hive and HDFS views inside Ambari 2.1.2.1 by following the documentation here: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_ambari_views_guide/content/section_kerber...

I'm able to login to ambari with my username to use both the Hive and HDFS view OK. I'm testing these views with Ranger now. The problem is the Hive view seems to be running as the ambari-server user.

4764-ranger-audit.png

How do make the hive view run queries as my username instead of ambari-server?

Note: The HDFS view seems to be working correctly because I can see the correct username in the audit logs.

1 ACCEPTED SOLUTION

avatar
Guru

Wonder if you are hitting this issue?

https://issues.apache.org/jira/browse/AMBARI-13875

It's fixed in Ambari 2.2+. The latest Ambari is 2.2.2.0 and upgrade docs / general docs can be found here:

http://docs.hortonworks.com/HDPDocuments/Ambari/Ambari-2.2.2.0/index.html

View solution in original post

10 REPLIES 10

avatar
Master Guru

@Kit Menke have you enabled hive impersonations? link to best practice. More on enabling hive impersonations here.

avatar
Expert Contributor

@Sunile Manjee I think Scenario #1 is what I'm aiming for. I set "Run as end user instead of Hive user" to false but still I'm seeing ambari-server show up in the ranger audit log.

avatar

There seems to be a missing param in the docs for "Hive authentication" property. It should work after you add the bolded below to pass in user logged into ambari as the hive.server2.proxy.user:

auth=KERBEROS;principal=hive/HIVE_HOST@REALM;hive.server2.proxy.user=${username}

@bganesan: seems like we may need to update our doc

avatar

Per the JIRA from Jeff, looks like the feature did not work prior to Ambari 2.2+. The relevant doc section in Ambari 2.2.0.0 looks ok so I think we are good. Although it might be good to update older docs to explicitly call out the fact that running queries as logged in user won't work.

avatar
Guru

Wonder if you are hitting this issue?

https://issues.apache.org/jira/browse/AMBARI-13875

It's fixed in Ambari 2.2+. The latest Ambari is 2.2.2.0 and upgrade docs / general docs can be found here:

http://docs.hortonworks.com/HDPDocuments/Ambari/Ambari-2.2.2.0/index.html

avatar
Expert Contributor

@jeff That does look like what I'm running into. I tried adding hive.server2.proxy.user as suggested by @Ali Bajwa but it didn't have any affect so must be that bug. I'll see if we can update Ambari.

avatar
@Kit Menke

Can you please check is below property set in hive-site.xml, if not please set it and try.

hive.server2.enable.doAs = true

Link for more details.

avatar
Expert Contributor

@Sri Bandaru I've tried changing doAs to both true and false and saw the same behavior either way when using the Ambari Hive view. We want to leave it as false anyways.

avatar
Expert Contributor

After upgrading to Ambari 2.2.2.0 and adding hive.server2.proxy.user=${username} to the Ambari Hive View config this started working. Thanks @jeff and @Ali Bajwa!