Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

Failed to validate proxy privilege of hue_hive for administrator

Failed to validate proxy privilege of hue_hive for administrator

Explorer

Hi all, today I faced a problem that I'am not able to run Hive when I logged in Hue with LDAP user, except the one that I set for authenticatation (hue_hive), does anyone know how to set proxy privileges for LDAP users? Thanks

I didn't use Kerberos or LDAPS either.2017-01-19 23_45_13-Hue - Editor.jpg

8 REPLIES 8

Re: Failed to validate proxy privilege of hue_hive for administrator

Champion
It sounds like Hive Impersonation is not turned on. Can you verify?

Do you have this same issue from Beeline or other JDBC connections?

hive.server2.enable.doAs=true

https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Imperso...

Re: Failed to validate proxy privilege of hue_hive for administrator

Explorer

Thanks, mbigelow.

hive.server2.enable.impersonation, hive.server2.enable.doAs

is active for "HiveServer2 Default Group", I faced the same problem in Hue and Beeline as well..

 

2017-01-20 00_52_15-root@daiwatest__etc_hue.jpg

And from the Hue server log file I found something.

The password is None for hive.server2.proxy.user, I don't really know is it the underlying reason.

 

[10/Jan/2017 22:05:47 -0800] api WARNING Autocomplete data fetching error: Bad status for request TOpenSessionReq(username=u'administrator', password=None, client_protocol=6, configuration={'hive.server2.proxy.user': u'administrator'}):
TOpenSessionResp(status=TStatus(errorCode=0, errorMessage='Failed to validate proxy privilege of hue_hive for administrator', sqlState='08S01', infoMessages=['*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of hue_hive for administrator:14:13', 'org.apache.hive.service.auth.HiveAuthFactory:verifyProxyAccess:HiveAuthFactory.java:402', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getProxyUser:ThriftCLIService.java:748', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getUserName:ThriftCLIService.java:384', 'org.apache.hive.service.cli.thrift.ThriftCLIService:getSessionHandle:ThriftCLIService.java:411', 'org.apache.hive.service.cli.thrift.ThriftCLIService:OpenSession:ThriftCLIService.java:316', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1253', 'org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1238', 'org.apache.thrift.ProcessFunction:process:ProcessFunction.java:39', 'org.apache.thrift.TBaseProcessor:process:TBaseProcessor.java:39', 'org.apache.hive.service.auth.TSetIpAddressProcessor:process:TSetIpAddressProcessor.java:56', 'org.apache.thrift.server.TThreadPoolServer$WorkerProcess:run:TThreadPoolServer.java:286', 'java.util.concurrent.ThreadPoolExecutor:runWorker:ThreadPoolExecutor.java:1145', 'java.util.concurrent.ThreadPoolExecutor$Worker:run:ThreadPoolExecutor.java:615', 'java.lang.Thread:run:Thread.java:745', '*org.apache.hadoop.security.authorize.AuthorizationException:User: hue_hive is not allowed to impersonate administrator:0:-1'], statusCode=3), sessionHandle=None, configuration=None, serverProtocolVersion=6)

Re: Failed to validate proxy privilege of hue_hive for administrator

Champion
Does the user 'administrator' exist on the HS2 node, and preferable the rest of the nodes. Does the user have a HDFS user directory, /user/administrator, with full access to it?

These items are what is needed for users to access the cluster and run jobs regardless of the means of authentication.

Re: Failed to validate proxy privilege of hue_hive for administrator

Explorer

The user 'administrator' is LDAP user that I add/sync in Hue, which having HDFS user directory, /user/administrator and having full access.. does it means the user also exist in HS2 node? Should I check it in Linux OS-level? Thanks for your help.

 

 2017-01-20 01_14_13-Hue - File Browser.jpg

Re: Failed to validate proxy privilege of hue_hive for administrator

Champion
Yes check there. I don't know the HIve source code but I do know that HDFS still does a username/group lookup against the OS.

Re: Failed to validate proxy privilege of hue_hive for administrator

Explorer

My Hive is also Enabled LDAP Authentication, my user 'hue_hive' doesn't exist in Linux but only in LDAP and Hue as well..

I have tried to run query in Hue and beeline with 'hue_hive', it also works. From this point I think my user 'hue_hive' is exist in HS2.

How about the other users in LDAP such as 'administrator'? How does HS2 actually impersonate the user to other services? such as MapReduce and HDFS..?

 

2017-01-20 09_47_23-root@daiwatest__etc_hue.jpg

Highlighted

Re: Failed to validate proxy privilege of hue_hive for administrator

Explorer

hey were you able to resolve this issue. I am facing the same issue, any help is much appreciated

Re: Failed to validate proxy privilege of hue_hive for administrator

Super Guru

@jackyyipjk,

 

The following error indicates that the "hue_hive" user is not authorized to act as a proxy for other users:

Failed to validate proxy privilege of hue_hive for administrator:14:13'

 

Hue authenticates to Hive as "hue_hive" but it must then act as a proxy.  This is restricted by default.

Usually, this can be configured in Cloudera Manager by editing:

HDFS --> Configuration --> Service Wide --> Advanced --> Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml

 

You can add, for instance:

 

hadoop.proxyuser.hue_hive.groups

*

 

XML representiation:


<property>
<name>hadoop.proxyuser.hue_hive.groups</name>
<value>*</value>
</property>

 

The above will allow hue_hive to act as a proxy for any user (including "administrator)

 

Regards,

 

Ben