Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive to Run Queries on a Secure HBase Server through beeline is not working

Hive to Run Queries on a Secure HBase Server through beeline is not working

New Contributor

Hi,

 

We recently secured the cluster with kerberos. After that we are facing the problem with accessing the hbase tables through hive beeline. Initially we had problem with accessing them hive shell as well. However it seems went away when we added the below properties to hive-site.xml though "Hive Service Advanced Configuration Snippet", "Hive Client Advanced Configuration Snippet", "HiveServer2 Advanced Configuration Snippet". 

 

<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>hbase/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>hbase/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hbase.zookeeper.quorum</name>
<value>ZOOKEEPER1,ZOOKEEPER2,ZOOKEEPER3</value>
</property>

 

However it is still not working through beeline. We get the below error while querying the hbase table from beeline. Please note: I did grant the user permission to access this table from hbase shell.

 

Error: java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (table=D1TURN:ADOBE_SEARCH_ENGINE_LOOKUP, action=READ)
at org.apache.hadoop.hbase.security.access.AccessController.internalPreRead(AccessController.java:1517)
at org.apache.hadoop.hbase.security.access.AccessController.preScannerOpen(AccessController.java:1964)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$50.call(RegionCoprocessorHost.java:1274)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1663)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1738)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1712)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1269)
at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2118)
at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:31443)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2035)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:107)
at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:130)
at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:107)
at java.lang.Thread.run(Thread.java:745) (state=,code=0)

 

Any help on this would be greatly appreciated.

 

Thanks,

Briglal

 

2 REPLIES 2

Re: Hive to Run Queries on a Secure HBase Server through beeline is not working

Master Guru

If you are using Cloudera Manager (CM) then the HBase configurations are self-added to your HiveServer2 (HS2) instance as long as you've selected a HBase service under Hive's Configuration page. This removes all need to configure any XML or properties for HBase secure services manually.

Does your Hive instance use impersonation, or is that disabled? If your HS2 instance does not use impersonation, then the grant on the HBase side needs to be done for the "hive" user, cause all HS2 activity will be done as that user (against whatever storage backend, HDFS or HBase).

If you seek to avoid granting "hive" entire access over the table in HBase, you'll need to enable impersonation in HS2, so the activity gets done as the real user instead.
Highlighted

Re: Hive to Run Queries on a Secure HBase Server through beeline is not working

Explorer

@Harsh J wrote:
Does your Hive instance use impersonation, or is that disabled? If your HS2 instance does not use impersonation, then the grant on the HBase side needs to be done for the "hive" user, cause all HS2 activity will be done as that user (against whatever storage backend, HDFS or HBase).

thanks. after grant user hive on hbase, I can query hbase table via hive.

 

Thanks