Support Questions
Find answers, ask questions, and share your expertise

Hive LDAP Connection is too slow. Ranger Policies are not refreshing

Explorer

Hi All,

I have setup Hive LDAP Authentication. Locally on OS I have configured ldap.conf, sssd.conf, krb5.conf.

I have AD Federation from which each user has ~30 groups to be synced.

Important Information.

1. Cluster is not kerberized.

2. LDAP Authentication is enabled for HiveServer.

3. Ranger is syncing data from AD/LDAP.

4. HiveServer2 Authentication with LDAP is enabled and working.

5. Impersonation is on in HiveServer2.

6. Namenode has HA.

Question: Hive is taking ~2 minutes to login successfully. But than it give below error in the log & show databases; does not work. "Error getting policies."

Hive log says

~~~~

2017-10-13 14:01:53,976 WARN [Thread-14]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(154)) - Error getting policies. secureMode=false, user=hive (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=dev_hive

2017-10-13 12:51:03,358 ERROR [HiveServer2-Handler-Pool: Thread-84]: ql.Driver (SessionState.java:printError(993)) - FAILED: HiveAccessControlException Permission denied: user [XXXX] does not have [USE] privilege on [Unknown resource!!] org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [XXXX] does not have [USE] privilege on [Unknown resource!!] at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:460) at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:856) at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:644) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:511) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:321) at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1221) at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1215) at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146) at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226) at org.apache.hive.service.cli.operation.Operation.run(Operation.java:264) at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:470) at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:457) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:78) at org.apache.hive.service.cli.session.HiveSessionProxy.access$000(HiveSessionProxy.java:36) at org.apache.hive.service.cli.session.HiveSessionProxy$1.run(HiveSessionProxy.java:63) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866) at org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:59) at com.sun.proxy.$Proxy40.executeStatementAsync(Unknown Source) at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:313) at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:509) at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317) at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

1 REPLY 1

You need to fix this issue first. See why hive plugin is not able to download policies from Ranger. Do you see any errors in ranger admin logs?

WARN [Thread-14]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(154)) - Error getting policies. secureMode=false, user=hive (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=dev_hive
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.