Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Cae HiveServer2 run query as the acutal connect user on yarn?

Explorer

We are currently running hive(hiveserver2) with sentry, and user impersonation is disable.

When any user connect to hiveserver2 and submit queries, hiveserver2 will submit all the query jobs to yarn, as the same user hive, not the actual the user who connect to hiveserver2.

Is there any way that can let hiveserver2 submit jobs as the actual user?

 

4 REPLIES 4

Champion

@lewiss

 

Have you configured Kerberos?

if so

1. klist to see uid for the current ticket

2. ask the actual user to kinit with their uid and password before submit their query 

 

it may help you

 

 

Explorer
No, we are running hiveserver2 with ldap and sentry.

Champion

@lewiss

 

ok, but I am using Kerberos for the authentication. 

 

I am not sure but it 'might' be the reason for your issue because, according to the below site

 

  • HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication
  • Kerberos authentication on your cluster. Kerberos prevent a user from bypassing the authorization system and gaining direct access to the underlying data.

https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_sentry.html#concept_h54_ws4_w...

 

 

 

 

Rising Star

@lewiss Did you find any workaround for this issue?