Support Questions

samant_thakur · ‎11-29-2017

Hi,

When I tried to config hive server 2 authentication with AD. I am getting below error in beeline

Beeline version 1.2.1000.2.6.0.3-8 by Apache Hive beeline> !connect jdbc:hive2://local host:10000 Connecting to jdbc:hive2://local host:10000 Enter username for jdbc:hive2://localhost:10000: XXXX

Enter password for jdbc:hive2://feabigrpd01:10000: **********

Connected to: Apache Hive (version 1.2.1000.2.6.0.3-8) Driver: Hive JDBC (version 1.2.1000.2.6.0.3-8) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://local host:10000>

0: jdbc:hive2://localhost:10000> show databases ;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user XXXX does not have [USE] privilege on [null] (state=42000,code=40000)

1. I have configured below properties

hive.server2.authentication =LDAP

hive.server2.authentication.ldap.url=ldap://XXX.co.XX:389

hive.server2.authentication.ldap.Domain=dc=XXX,dc=co,dc=XX

2. hive server2 logs error :/var/log/hive

ERROR [HiveServer2-Handler-Pool: Thread-71]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]]] at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)

3. Ambari Hive view authentication error :

Service checks completed

HDFS test

HiveServer test

ATS test

User Home Directory test

Issues detected

Hive authentication failed

4. I have got ranger policy in place which gives the permission to user XXX to all the directories in HDFS & select access to all tables.

Please assist me to resolve this issue. Thanks in advance.

samant_thakur · ‎12-02-2017

@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.

Thanks.hive-ad-issue.png

View solution in original post

manish1 · ‎11-29-2017

@Samant Thakur

Please check Ranger Audit first to find out whether it was blocked by Ranger or not. If it is being blocked then it must be the Hive policy, which is blocking you. Please let me know.

samant_thakur · ‎12-02-2017

@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.

Thanks.hive-ad-issue.png

manish1 · ‎12-02-2017

@Samant Thakur

Yes, it is very annoying when User ID is in upper or mixed case, which is very normal in AD, which is not case-sensitive. But, linux is case-sensitive and so is Ranger. You can remove case-sensitivity in Ranger. But, it is ideal to do it during the installation. You can refer to this article:

https://community.hortonworks.com/content/kbentry/145832/ranger-user-sync-issues-due-to-case-differe...

PS: As usual, If you think my response helped you to find a solution then please accept my response as the best answer.

Cloudera Community

Support Questions

Hive server 2 authentication with AD issues

Service checks completed

Issues detected