I have an HDFS-Hive-Impala regression script that works fine on my kerberized & sentry protected CDH cluster.
Now, I enabled LDAP authentication on HDFS (LdapGroupsMapping), Hive and Impala and the regression script passes HDFS and Hive but fails on the SELECT-INSERT-CREATE Impala actions:
Failure 1 & 2 (similar error for select and insert):
Query: select * from customer.cons limit 10 ERROR: AnalysisException: Failed to load metadata for table: 'customer.cons' CAUSED BY: TableLoadingException: Failed to load file metadata for 1 paths for table customer.cons. Table's file metadata could be partially loaded. Check the Catalog server log for more details.
Query: create table customer.test_141226 (id int) ERROR: ImpalaRuntimeException: Error making 'createTable' RPC to Hive Metastore: CAUSED BY: MetaException: Got exception: org.apache.hadoop.security.AccessControlException Permission denied: user=impala, access=WRITE, inode="/user/hive/warehouse/customer.db":hive:hive:drwxrwx--t
Note 1: Hive and Impala share the exact the same queries on the regression script. The latter seems like an impersonation problem, but why does it appear now and not before LDAP?
Note 2: services principals are localy (KDC) while user principals on AD.