Support Questions

PranayV · ‎01-20-2016

Hello,

Hiveserver2 is non-responsive and the log reveals below error.

Cluster is Kerberos enabled and there is no HA on Hive.

hive.cluster.delegation.token.store.class - org.apache.hadoop.hive.thrift.ZooKeeperTokenStore
Ambari V 2.0
HDP V 2.2.4.2 
2016-01-19 23:20:18,466 ERROR [HiveServer2-Handler-Pool: Thread-159]: metadata.Hive (Hive.java:getDelegationToken(291
0)) - java.lang.UnsupportedOperationException: getDelegationToken() can be called only in thrift (non local) mode
  at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDelegationToken(HiveMetaStoreClient.java:1664)
  at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:606)
  at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:90)
  at com.sun.proxy.$Proxy12.getDelegationToken(Unknown Source)
  at org.apache.hadoop.hive.ql.metadata.Hive.getDelegationToken(Hive.java:2908)
  at org.apache.hive.service.cli.CLIService.getDelegationTokenFromMetaStore(CLIService.java:467)
  at org.apache.hive.service.cli.thrift.ThriftCLIService.getDelegationToken(ThriftCLIService.java:340)
  at org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(ThriftCLIService.java:321)
  at org.apache.hive.service.cli.thrift.ThriftCLIService.OpenSession(ThriftCLIService.java:235)
  at org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1253)
  at org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1238)
  at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
  at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
  at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(HadoopThriftA
uthBridge20S.java:679)
  at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:206)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

Appreciate your help!

Regards

Pranay VYas

emaxwell · ‎01-21-2016

@pvyas

It looks like you may be running into HIVE-4625. This bug presents when Hiveserver2 is running with doAs enabled (hive.server2.enable.doAs=true). Best practices for securing the cluster call for running Hiveserver2 with doAs disabled because of the ability for a user to skirt Hive authorization policies in Ranger by going directly to HDFS to read files. Here is a link to the article: Best Practices for Hive Authorization. Setting doAs to false should also solve your issue of delegation token errors. This bug is corrected in Hive 1.2 which is included with HDP 2.3 and Hiveserver2 will not ask for delegation tokens from metastore any more.

View solution in original post

emaxwell · ‎01-21-2016

@pvyas

It looks like you may be running into HIVE-4625. This bug presents when Hiveserver2 is running with doAs enabled (hive.server2.enable.doAs=true). Best practices for securing the cluster call for running Hiveserver2 with doAs disabled because of the ability for a user to skirt Hive authorization policies in Ranger by going directly to HDFS to read files. Here is a link to the article: Best Practices for Hive Authorization. Setting doAs to false should also solve your issue of delegation token errors. This bug is corrected in Hive 1.2 which is included with HDP 2.3 and Hiveserver2 will not ask for delegation tokens from metastore any more.

PranayV · ‎01-23-2016

Thank You very much @emaxwell. This helps

Cloudera Community

Support Questions

Hiveserver2 Delegation Token Errors