Support Questions

Find answers, ask questions, and share your expertise

Failed to validate proxy privilege of hue_hive for administrator

avatar
Explorer

Hi all, today I faced a problem that I'am not able to run Hive when I logged in Hue with LDAP user, except the one that I set for authenticatation (hue_hive), does anyone know how to set proxy privileges for LDAP users? Thanks

I didn't use Kerberos or LDAPS either.2017-01-19 23_45_13-Hue - Editor.jpg

8 REPLIES 8

avatar
Champion
It sounds like Hive Impersonation is not turned on. Can you verify?

Do you have this same issue from Beeline or other JDBC connections?

hive.server2.enable.doAs=true

https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Imperso...

avatar
Explorer

Thanks, mbigelow.

hive.server2.enable.impersonation, hive.server2.enable.doAs

is active for "HiveServer2 Default Group", I faced the same problem in Hue and Beeline as well..

 

2017-01-20 00_52_15-root@daiwatest__etc_hue.jpg

And from the Hue server log file I found something.

The password is None for hive.server2.proxy.user, I don't really know is it the underlying reason.

 

[10/Jan/2017 22:05:47 -0800] api WARNING Autocomplete data fetching error: Bad status for request TOpenSessionReq(username=u'administrator', password=None, client_protocol=6, configuration={'hive.server2.proxy.user': u'administrator'}):
TOpenSessionResp(status=TStatus(errorCode=0, errorMessage='Failed to validate proxy privilege of hue_hive for administrator', sqlState='08S01', infoMessages=['*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of hue_hive for administrator:14:13', 'org.apache.hive.service.auth.HiveAuthFactory:verifyProxyAccess:HiveAuthFactory.java:402', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getProxyUser:ThriftCLIService.java:748', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getUserName:ThriftCLIService.java:384', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getSessionHandle:ThriftCLIService.java:411', 'org.apache.hive.service.cli.thrift.ThriftCLIService:OpenSession:ThriftCLIService.java:316', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1253', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1238', 'org.apache.thrift.ProcessFunction:process:ProcessFunction.java:39', 'org.apache.thrift.TBaseProcessor:process:TBaseProcessor.java:39', 'org.apache.hive.service.auth.TSetIpAddressProcessor:process:TSetIpAddressProcessor.java:56', 'org.apache.thrift.server.TThreadPoolServer$WorkerProcess:run:TThreadPoolServer.java:286', 'java.util.concurrent.ThreadPoolExecutor:runWorker:ThreadPoolExecutor.java:1145', 'java.util.concurrent.ThreadPoolExecutor$Worker:run:ThreadPoolExecutor.java:615', 'java.lang.Thread:run:Thread.java:745', '*org.apache.hadoop.security.authorize.AuthorizationException:User: hue_hive is not allowed to impersonate administrator:0:-1'], statusCode=3), sessionHandle=None, configuration=None, serverProtocolVersion=6)

avatar
Champion
Does the user 'administrator' exist on the HS2 node, and preferable the rest of the nodes. Does the user have a HDFS user directory, /user/administrator, with full access to it?

These items are what is needed for users to access the cluster and run jobs regardless of the means of authentication.

avatar
Explorer

The user 'administrator' is LDAP user that I add/sync in Hue, which having HDFS user directory, /user/administrator and having full access.. does it means the user also exist in HS2 node? Should I check it in Linux OS-level? Thanks for your help.

 

 2017-01-20 01_14_13-Hue - File Browser.jpg

avatar
Champion
Yes check there. I don't know the HIve source code but I do know that HDFS still does a username/group lookup against the OS.

avatar
Explorer

My Hive is also Enabled LDAP Authentication, my user 'hue_hive' doesn't exist in Linux but only in LDAP and Hue as well..

I have tried to run query in Hue and beeline with 'hue_hive', it also works. From this point I think my user 'hue_hive' is exist in HS2.

How about the other users in LDAP such as 'administrator'? How does HS2 actually impersonate the user to other services? such as MapReduce and HDFS..?

 

2017-01-20 09_47_23-root@daiwatest__etc_hue.jpg

avatar
Explorer

hey were you able to resolve this issue. I am facing the same issue, any help is much appreciated

avatar
Master Guru

@jackyyipjk,

 

The following error indicates that the "hue_hive" user is not authorized to act as a proxy for other users:

Failed to validate proxy privilege of hue_hive for administrator:14:13'

 

Hue authenticates to Hive as "hue_hive" but it must then act as a proxy.  This is restricted by default.

Usually, this can be configured in Cloudera Manager by editing:

HDFS --> Configuration --> Service Wide --> Advanced --> Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml

 

You can add, for instance:

 

hadoop.proxyuser.hue_hive.groups

*

 

XML representiation:


<property>
<name>hadoop.proxyuser.hue_hive.groups</name>
<value>*</value>
</property>

 

The above will allow hue_hive to act as a proxy for any user (including "administrator)

 

Regards,

 

Ben