Support Questions
Find answers, ask questions, and share your expertise

Hive View user is not allowed to impersonate.

Expert Contributor

Hi,

I have a problem with Hive View in Kerberized HDP 2.5 cluster. I have configured one-way trust with AD. When I try to access to Hive View as "admin" user:

User: HADOOP_User10 is not allowed to impersonate admin

I know I can solve this by adding proxyuser.HADOOP_User10 but this user is not a technical user and he should not be allowed to impersonate anyone. How can I change the user HADOOP_User10 to "hive" or "root" which is more secure? Below is my Hive View configuration:

Hive Authentication
auth=KERBEROS;principal=hive/_HOST@HADOOP.COM;hive.server2.proxy.user=${username};saslQop=auth-conf

WebHDFS Username
${username}

WebHDFS Authentication
auth=KERBEROS;proxyuser=ambari-server

The strange thing is that, when I run "kadmin" as root on KDC host, it tries to Authenticate me as HADOOP_User10/admin@HADOOP.COM. I solved it by deleting cache file /tmp/krb5cc_... containg HADOOP_User10.

Thank you in advance.

@EDIT

I tried Regenerating Keytabs

2 REPLIES 2

Re: Hive View user is not allowed to impersonate.

Guru

@Edgar Daeds How/where are you using 'HADOOP_User10' ?

From the error message, it seems that the Hive View was accessed by 'HADOOP_User10' and he tried to run some command as 'admin' user.

The kadmin program always tries to use the user in the current credential cache, if that is empty it will try to use '<current-shell-user>/admin@REALM' format to 'guess' your admin user name. Hence you are seeing that. You can change that by specifying "-p <principal>" at the command line.

Hope this helps !

Re: Hive View user is not allowed to impersonate.