Support Questions

Thanks, mbigelow.

hive.server2.enable.impersonation, hive.server2.enable.doAs

is active for "HiveServer2 Default Group", I faced the same problem in Hue and Beeline as well..

 

And from the Hue server log file I found something.

The password is None for hive.server2.proxy.user, I don't really know is it the underlying reason.

 

[10/Jan/2017 22:05:47 -0800] api WARNING Autocomplete data fetching error: Bad status for request TOpenSessionReq(username=u'administrator', password=None, client_protocol=6, configuration={'hive.server2.proxy.user': u'administrator'}):
TOpenSessionResp(status=TStatus(errorCode=0, errorMessage='Failed to validate proxy privilege of hue_hive for administrator', sqlState='08S01', infoMessages=['*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of hue_hive for administrator:14:13', 'org.apache.hive.service.auth.HiveAuthFactory:verifyProxyAccess:HiveAuthFactory.java:402', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getProxyUser:ThriftCLIService.java:748', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getUserName:ThriftCLIService.java:384', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getSessionHandle:ThriftCLIService.java:411', 'org.apache.hive.service.cli.thrift.ThriftCLIService:OpenSession:ThriftCLIService.java:316', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1253', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1238', 'org.apache.thrift.ProcessFunction:process:ProcessFunction.java:39', 'org.apache.thrift.TBaseProcessor:process:TBaseProcessor.java:39', 'org.apache.hive.service.auth.TSetIpAddressProcessor:process:TSetIpAddressProcessor.java:56', 'org.apache.thrift.server.TThreadPoolServer$WorkerProcess:run:TThreadPoolServer.java:286', 'java.util.concurrent.ThreadPoolExecutor:runWorker:ThreadPoolExecutor.java:1145', 'java.util.concurrent.ThreadPoolExecutor$Worker:run:ThreadPoolExecutor.java:615', 'java.lang.Thread:run:Thread.java:745', '*org.apache.hadoop.security.authorize.AuthorizationException:User: hue_hive is not allowed to impersonate administrator:0:-1'], statusCode=3), sessionHandle=None, configuration=None, serverProtocolVersion=6)

Does the user 'administrator' exist on the HS2 node, and preferable the rest of the nodes. Does the user have a HDFS user directory, /user/administrator, with full access to it?

These items are what is needed for users to access the cluster and run jobs regardless of the means of authentication.

The user 'administrator' is LDAP user that I add/sync in Hue, which having HDFS user directory, /user/administrator and having full access.. does it means the user also exist in HS2 node? Should I check it in Linux OS-level? Thanks for your help.

 

 

Yes check there. I don't know the HIve source code but I do know that HDFS still does a username/group lookup against the OS.

My Hive is also Enabled LDAP Authentication, my user 'hue_hive' doesn't exist in Linux but only in LDAP and Hue as well..

I have tried to run query in Hue and beeline with 'hue_hive', it also works. From this point I think my user 'hue_hive' is exist in HS2.

How about the other users in LDAP such as 'administrator'? How does HS2 actually impersonate the user to other services? such as MapReduce and HDFS..?