Cae HiveServer2 run query as the acutal connect user on yarn?

lewiss · ‎07-09-2017

We are currently running hive(hiveserver2) with sentry, and user impersonation is disable.

When any user connect to hiveserver2 and submit queries, hiveserver2 will submit all the query jobs to yarn, as the same user hive, not the actual the user who connect to hiveserver2.

Is there any way that can let hiveserver2 submit jobs as the actual user?

saranvisa · ‎07-09-2017

@lewiss

Have you configured Kerberos?

if so

1. klist to see uid for the current ticket

2. ask the actual user to kinit with their uid and password before submit their query

it may help you

lewiss · ‎07-09-2017

No, we are running hiveserver2 with ldap and sentry.

saranvisa · ‎07-10-2017

@lewiss

ok, but I am using Kerberos for the authentication.

I am not sure but it 'might' be the reason for your issue because, according to the below site

HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication
Kerberos authentication on your cluster. Kerberos prevent a user from bypassing the authorization system and gaining direct access to the underlying data.

https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_sentry.html#concept_h54_ws4_w...

Prav · ‎07-31-2018

@lewiss Did you find any workaround for this issue?