Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive server 2 authentication with AD issues

Solved Go to solution
Highlighted

Hive server 2 authentication with AD issues

Contributor

Hi,

When I tried to config hive server 2 authentication with AD. I am getting below error in beeline

Beeline version 1.2.1000.2.6.0.3-8 by Apache Hive beeline> !connect jdbc:hive2://local host:10000 Connecting to jdbc:hive2://local host:10000 Enter username for jdbc:hive2://localhost:10000: XXXX

Enter password for jdbc:hive2://feabigrpd01:10000: **********

Connected to: Apache Hive (version 1.2.1000.2.6.0.3-8) Driver: Hive JDBC (version 1.2.1000.2.6.0.3-8) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://local host:10000>

0: jdbc:hive2://localhost:10000> show databases ;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user XXXX does not have [USE] privilege on [null] (state=42000,code=40000)

1. I have configured below properties

hive.server2.authentication =LDAP

hive.server2.authentication.ldap.url=ldap://XXX.co.XX:389

hive.server2.authentication.ldap.Domain=dc=XXX,dc=co,dc=XX

2. hive server2 logs error :/var/log/hive

ERROR [HiveServer2-Handler-Pool: Thread-71]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]]] at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)

3. Ambari Hive view authentication error :

Service checks completed

HDFS test
HiveServer test
ATS test
User Home Directory test

Issues detected

Hive authentication failed

4. I have got ranger policy in place which gives the permission to user XXX to all the directories in HDFS & select access to all tables.

Please assist me to resolve this issue. Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Hive server 2 authentication with AD issues

Contributor

@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.

Thanks.hive-ad-issue.png

View solution in original post

3 REPLIES 3

Re: Hive server 2 authentication with AD issues

Expert Contributor
@Samant Thakur

Please check Ranger Audit first to find out whether it was blocked by Ranger or not. If it is being blocked then it must be the Hive policy, which is blocking you. Please let me know.

Highlighted

Re: Hive server 2 authentication with AD issues

Contributor

@Manish Gupta Thank you so much for your response. I managed to resolve this issue by entering the username in upper case and was able to access all the Hive tables based on the policies defined in Ranger. It's strange that when I type username in lowercase ,AD authentication was successful but permissions denied to access the tables. I have attached screenshots of both scenarios.

Thanks.hive-ad-issue.png

View solution in original post

Highlighted

Re: Hive server 2 authentication with AD issues

Expert Contributor

@Samant Thakur

Yes, it is very annoying when User ID is in upper or mixed case, which is very normal in AD, which is not case-sensitive. But, linux is case-sensitive and so is Ranger. You can remove case-sensitivity in Ranger. But, it is ideal to do it during the installation. You can refer to this article:

https://community.hortonworks.com/content/kbentry/145832/ranger-user-sync-issues-due-to-case-differe...

PS: As usual, If you think my response helped you to find a solution then please accept my response as the best answer.


Don't have an account?
Coming from Hortonworks? Activate your account here