Created 11-29-2017 08:33 PM
Hi,
When I tried to config hive server 2 authentication with AD. I am getting below error in beeline
Beeline version 1.2.1000.2.6.0.3-8 by Apache Hive beeline> !connect jdbc:hive2://local host:10000 Connecting to jdbc:hive2://local host:10000 Enter username for jdbc:hive2://localhost:10000: XXXX
Enter password for jdbc:hive2://feabigrpd01:10000: **********
Connected to: Apache Hive (version 1.2.1000.2.6.0.3-8)
Driver: Hive JDBC (version 1.2.1000.2.6.0.3-8)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://local host:10000>
0: jdbc:hive2://localhost:10000> show databases ;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user XXXX does not have [USE] privilege on [null] (state=42000,code=40000)
1. I have configured below properties
hive.server2.authentication =LDAP
hive.server2.authentication.ldap.url=ldap://XXX.co.XX:389
hive.server2.authentication.ldap.Domain=dc=XXX,dc=co,dc=XX
2. hive server2 logs error :/var/log/hive
ERROR [HiveServer2-Handler-Pool: Thread-71]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]]] at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
3. Ambari Hive view authentication error :
HDFS test |
HiveServer test |
ATS test |
User Home Directory test |
Hive authentication failed
4. I have got ranger policy in place which gives the permission to user XXX to all the directories in HDFS & select access to all tables.
Please assist me to resolve this issue. Thanks in advance.
Created 12-02-2017 02:21 PM
@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.
Thanks.hive-ad-issue.png
Created 11-29-2017 10:21 PM
Please check Ranger Audit first to find out whether it was blocked by Ranger or not. If it is being blocked then it must be the Hive policy, which is blocking you. Please let me know.
Created 12-02-2017 02:21 PM
@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.
Thanks.hive-ad-issue.png
Created 12-02-2017 06:36 PM
Yes, it is very annoying when User ID is in upper or mixed case, which is very normal in AD, which is not case-sensitive. But, linux is case-sensitive and so is Ranger. You can remove case-sensitivity in Ranger. But, it is ideal to do it during the installation. You can refer to this article:
PS: As usual, If you think my response helped you to find a solution then please accept my response as the best answer.