Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive groups not being fetched

Hive groups not being fetched

New Contributor

I have been dealing with issue quite some time now. I am using the Hortonworks 2.5 sandbox.

I have configured hdfs to pull groups from an LDAP. When I type hdfs groups <user> it returns the appropriate groups for the user. However, when I try accessing a table with Hive (authorization with Ranger), I get an LDAP error saying their are unbalanced parenthesis, so hive cannot retrieve the groups. If there were unbalances parenthesis hdfs would not be able to retrieve the groups either, right?

Here are my filters:

user filter - (&(|(objectClass=posixAccount)(objectClass=applicationProcess))(uid={0}))
group-filter - (objectClass=groupOfNames)

Here are my hiverserver2 logs:

2016-11-10 12:07:54,760 WARN  [HiveServer2-Handler-Pool: Thread-51]: security.LdapGroupsMapping (LdapGroupsMapping.java:getGroups(252)) - Failed to get groups for user bibby (retry=0) by javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'dc=hortonworks,dc=com'2016-11-10 12:07:54,764 WARN  [HiveServer2-Handler-Pool: Thread-51]: security.LdapGroupsMapping (LdapGroupsMapping.java:getGroups(252)) - Failed to get groups for user bibby (retry=1) by javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'dc=hortonworks,dc=com'2016-11-10 12:07:54,767 WARN  [HiveServer2-Handler-Pool: Thread-51]: security.LdapGroupsMapping (LdapGroupsMapping.java:getGroups(252)) - Failed to get groups for user bibby (retry=2) by javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'dc=hortonworks,dc=com'2016-11-10 12:07:54,788 INFO  [HiveServer2-Handler-Pool: Thread-51]: log.PerfLogger (PerfLogger.java:PerfLogEnd(176)) - </PERFLOG method=doAuthorization start=1478779674701 end=1478779674788 duration=87 from=org.apache.hadoop.hive.ql.Driver>2016-11-10 12:07:54,789 ERROR [HiveServer2-Handler-Pool: Thread-51]: ql.Driver (SessionState.java:printError(948)) - FAILED: HiveAccessControlException Permission denied: user [bibby] does not have [USE] privilege on [null]org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [bibby] does not have [USE] privilege on [null]        at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:412)        at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:855)        at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:643)

Any help would be much appreciated. Thanks!

4 REPLIES 4

Re: Hive groups not being fetched

can you go the the ranger UI and see if the policy exist for user bibby ?

Re: Hive groups not being fetched

New Contributor

Even if there was no policy it shouldn't it still be able to retrieve the groups for the user? The logs say it can't get the groups.

Re: Hive groups not being fetched

what is your group sync settings ?

Highlighted

Re: Hive groups not being fetched

New Contributor

For hdfs I set group mappings in core-site.xml (http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/). For ranger I set it to pull the groups from the ldap, which it does. So the users. groups show up in Ranger and hdfs groups *user*, but cannot be fetched with hive.

Don't have an account?
Coming from Hortonworks? Activate your account here