In the below, I am assuming that
a) the hive warehouse dirs were moved to an ecnryption zone and
b) as recommended in our docs when Ranger is installed, hive.server2.enable.doas is set to false in hive configs (ie the queries are run as 'hive' user)
Probable root cause: The 403 error message may mean there is an authorization issue (Ranger is blocking access). Best way to confirm this is to check Ranger audits.
1. Check if user is being denied at Hive or HDFS level: Login to Ranger as admin and navigate to audits tab and filter for Result = Denied
2. Check if 'hive' user is being denied access to encryption zone containing hive warehouse tables. To do this:
a) First expose Audits view to keyadmin user:
- login to Ranger as admin and click Settings tab > Permissions.
- Click 'Audit' (second row from bottom) to change users who have access to Audit screen
- Under 'Select User', add 'keyadmin' user
b) Logoff as admin and relogin to Ranger as keyadmin user. Then navigate to audits tab and filter for Result = Denied
Most likely you will see requests getting denied by Ranger.
Resolution:
Once you confirm its an authorization issue, follow below to resolve:
1. check if the user (you are kinit'ed as before launching beeline) has is a Ranger hive policy allowing him/her access to the table
To check this, login to Ranger as admin and check the Hive policies
2. there is a KMS policy allowing 'hive' and 'nn' user access to the key used to encrypt the hive warehouse dir in HDFS (you may need to create these users in Ranger or sync from 'unix' once before you can do this)
nn user needs at least GetMetaData and GenerateEEK privilegehive user needs at least GetMetaData and DecryptEEK privilege
