Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari Hive view permission error

avatar
Contributor

Dear experts,

I am running HDP 2.4 on EC2 cloud. Recently i have installed Ranger and integrated Hive. When i am trying to use the Ambari Hive view using the admin account, i am receiving the below two errors. Could you please help ? i am attaching few screenshots showing the configurations required.

admin-hdfs-policy.png

admin-hive-policy.png

proxy.png

admin OS account is working fine:

----------------------------------------------

[ec2-user@XXXXXXXXX ~]$ id admin

uid=1012(admin) gid=1012(admin) groups=1012(admin),1001(hdpmasters)

[ec2-user@XXXXXXXX ~]$ hdfs dfs -ls /user

Found 9 items

drwxr-xr-x - admin hdfs 0 2017-08-11 04:35 /user/admin

[admin@XXXXXXXX ~]$ hdfs dfs -ls /user/admin

Found 2 items

drwxr-xr-x - admin hdfs 0 2017-08-11 05:33 /user/admin/.hiveJars

drwxr-xr-x - admin hdfs 0 2017-08-11 04:35 /user/admin/testing

[admin@XXXXXX ~]$ hive WARNING: Use "yarn jar" to launch YARN applications. Logging initialized using configuration in file:/etc/hive/2.4.3.0-227/0/hive-log4j.properties

hive> show databases;

OK

default

Time taken: 1.044 seconds, Fetched: 1 row(s)

Errors:

-----------------------------

Failed to execute statement: show databases like '*'

org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [USE] privilege on [null]

E090 HDFS020 Could not write file /user/admin/hive/jobs/hive-job-5-2017-08-11_05-43/query.hql [HdfsApiException]

org.apache.ambari.view.utils.hdfs.HdfsApiException: HDFS020 Could not write file /user/admin/hive/jobs/hive-job-5-2017-08-11_05-43/query.hql

Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): Unauthorized connection for super-user: root from IP XXXXXXXXX

admin-hive-policy.png
1 ACCEPTED SOLUTION

avatar
Contributor

I am able to find the solution, I was running Ranger admin on host1 and Hiveserver on host2 and i created the admin OS account in host1 but not in host2(where hive server is running). Creating the admin account and its group (hdpmasters) in host2 resolved this issue. I guess Ambari views might need the OS account/ Group to be present on the server where the service(being accessed by view) is installed.

View solution in original post

7 REPLIES 7

avatar
Master Mentor

@Chiranjeevi Nimmala

You are getting followine error , other errors might be the side effect of this.

Causedby: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):Unauthorized connection forsuper-user: root from IP XXXXXXXXX

So please Gor o HDFS--> Configs --> Advanced --> Custom core-site and add the following property:

hadoop.proxyuser.root.hosts=*

The restart the required services and then try accessing the view again

.

In the above parameter either you need to specify Comma separated list of All the DataNode Hostnames including Ambari Server host name ... or else you can define *

avatar
Contributor

@Jay SenSharma

I have already tried setting it to '*' but still not working.

27395-proxy-settings.png

avatar
Contributor

@Jay SenSharma

Will the below findings help,

If i add admin user instead of its group hdpmasters in the Ranger hive policy. Both of the errors are not being shown anymore in the Hive view. The problem is only if i use its group 'hdpmasters' in the policy. Please find below

[ec2-user@XXXXXXX ~]$ hdfs dfs -ls /user

Found 9 items drwxr-xr-x - admin

hdpmasters 0 2017-08-11 07:02 /user/admin

[ec2-user@XXXXXX ~]$

id admin uid=1012(admin) gid=1012(admin) groups=1012(admin),1001(hdpmasters)

Why it is only working if i give 'admin' directly but not the group ?

27396-hive.png

avatar
Contributor

Adding to my question, I have added admin OS account into a group 'hdpmasters' and i used this group while configuring Hive Ranger policy. If i use 'admin' instead of group in the policy configuration, strangely i am not able to see the error "FAILED:HiveAccessControlExceptionPermission denied: user [admin] does not have [USE] privilege on [null]" anymore(I can view the default database in Ambari view). Can i know why this is happening ?

27394-using-admin-instead-of-groups.png

avatar
Explorer

@Chiranjeevi Nimmala, What is group permission on HDFS location for Hive where this hive table is stored ? 'hdpmasters' group should have permission of HDFS file system where hive table is stored.

See if below property is set.

webhcat.proxyuser.root.groups *

webhcat.proxyuser.root.hosts *

Regards,

Fahim

avatar
Master Mentor

@Chiranjeevi Nimmala

Make the below changes in hive and restart all stale configuration

webhcat.proxyuser.root.groups *
webhcat.proxyuser.root.hosts *

See Ambari views documentation

Let me know if that helped

avatar
Contributor

I am able to find the solution, I was running Ranger admin on host1 and Hiveserver on host2 and i created the admin OS account in host1 but not in host2(where hive server is running). Creating the admin account and its group (hdpmasters) in host2 resolved this issue. I guess Ambari views might need the OS account/ Group to be present on the server where the service(being accessed by view) is installed.