Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Highlighted

Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Contributor

Hello - 

In HUE I can run two queries...on two different tables, but when I attempt to run a single query that joins them, I get the following error:

 

Error while compiling statement: FAILED: SemanticException Unable to compare key strength for hdfs://hanameservice/user/hive/warehouse/testdb.db/provider_md_hierarchy and hdfs://hanameservice/user/hive/warehouse/testdb.db/pg_md_survey : org.apache.hadoop.security.authorize.AuthorizationException: User:hive not allowed to do 'GET_METADATA' on 'hive'

 

I searched around and couldn't find anything that helps.  Does anyone have idea on where i can start looking to find a solution?

 

 

thanks - douglas

 

 

7 REPLIES 7

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Guru

Hi,

 

Can you try to add the following to KMS configuration?

 

 

<property> 
  <name>hadoop.kms.acl.GET_METADATA</name> 
  <value>{{group_list}}</value> 
  <description> 
    ACL for get-key-metadata and get-keys-metadata operations. 
  </description> 
</property>

Add "hive" to the {{group_list}}, and then restart KMS to see if it helps.


Thanks

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Contributor

Hi...Thanks for the suggestion.  I ended up creating a support ticket the other day and was able to add the hive user to a few different KMS settings and that did solve the problem

 

thanks.

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Guru

Hi,

 

I am glad that issue has been resolved.

 

For the benefits of other community users, are you able to outline on what you have done to resolve the issue? Much appreciate your contribution.

 

Thanks

Eric

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Contributor

I added hive user to the below two properties in the kms-acls.xml to make it work.

 

hadoop.kms.acl.GET_METADATA

whitelist.key.acl.READ

 

Also, I noticed that this happens only when we are doing a JOIN on two tables. When we are querying a single table, it is fine. Are the GET_METADATA and READ operations happening on HDFS on the parquet metadata OR on the Hive Warehouse?

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

New Contributor

I am also getting a similar kind of error, I followed the above steps , still my issue is not fixed, any help is appreciated.

 

hdfs://nameservice1/uat/rwa/st/st_gf/int_rfnd : org.apache.hadoop.security.authorize.AuthorizationException: User:hdmock not allowed to do 'GET_METADATA' on 'cdh'

 

Thanks

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Contributor

Hello...

I just checked on our cluster and the 'hive' user is on the following ACLs

 

hadoop.kms.acl.GET_METADATA
hadoop.kms.acl.DECRYPT_EEK

default.key.acl.READ

whitelist.key.acl.MANAGEMENT
whitelist.key.acl.READ
whitelist.key.acl.DECRYPT_EEK
hadoop.kms.acl.DECRYPT_EEK

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

You should have better help on the Security/KMS section than Hue for this
issue: http://community.cloudera.com/t5/Security-Apache-Sentry/bd-p/Security