I am trying to understand the following error:
I was initially using Ambari with the Admin account. Now we are trying to "normalize" the usage and I received an account for me. I have a Ambari user "phernandez" and a user in the linux server "hernandez". If I login in ambari with the admin server I have no problems but if I do it with "phernandez":
- I can open the Files View
- I see 2 Hive View, that is the first thing I don't understand.
- I cannot successfully open any of these Hive View and get the error in the image above.
I think I need to better understand and learn the hadoop basic concepts and how the operating system user is related to the ambari user and the hive security, but if you can help me to solve this issue I will appreciate it a lot.
We have a HDP 2.5 installation with 4 nodes.
Ranger has a policy that grants me access to a database (access for a group I belong to).
Your Hive server check is failing, it could be service is down or your proxy user is not set up correctly (config issue). I recommend starting with this doc http://docs.hortonworks.com/HDPDocuments/Ambari-220.127.116.11/bk_ambari-views/index.html
@Paul Hernandez - Is it a kernerized envirnment ? If yes then are you passing valid
- Which version of ambari is it?
- Are you using LDAP users or "phernandez" is a local user?
Regarding your query on "I see 2 Hive View, that is the first thing I don't understand." ? "Admin" --> "Manage Ambari" --> "Views" --> "Hive" .
Users can create as meny instances they want. So in your case there may be two instances got created. (many be one HiveView 1.0.0 and another HiveView 1.5.0) (from ambari 2.4 we have these two versions of hiveview that we can instantiate)
Hi Jay, thanks for your answer.
You are right, we have these two Hive Views (1.0.0 and 1.5.0)
We are not using LDAP, no kerberos authentication and my user is a local user created using Ambari (version 18.104.22.168).
Have you already allowed access to "phernandez" user in Ranger to allow to this view without any issues. I mean have you added "phernandez" user access in default policy in RANGER.
My user belongs to a group called "pm". This group has a policy that grants access to the "pm" database in Hive. The default policy was deleted by someone.
I don't exactly what I modified in Ranger, but now I am able to open the Hive View, however, I'm still getting an error:
Error while compiling statement: FAILED: SemanticException MetaException(message:java.security.AccessControlException: Permission denied: user=hive, access=READ, inode="/apps/hive/warehouse/myfile":anuser:agroup:drwxrwx--- at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319) ...
I modified this property:
hive.server2.enable.doAs either to true and to false with the same result.
What I cannot understand, is why the user is always hive
According to this article: http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
if the property is set to true Hiveserver2 will run MR jobs in HDFS as the original user. Why the original user is also hive.
Is it may be realted to these properties?
Any comment will be appreciated.