Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberized HDP 2.4 - getting error in using Hive View on Ambari

Labels:
avatar
author-rank karan_alang1
Expert Contributor

Created ‎12-03-2016 02:29 AM

Hi All,

I've a kerberized HDP 2.4 - and i've created user - hive_user1

I logon to Hive View on Ambari, and fire simple query - select * from test

The error i get is shown below -

-------------------------------

Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hdfs] does not have [SELECT] privilege on [default/test/sno] [ERROR_STATUS]

-----------------------------

Pls note - i've disabled Global access to Hive, but given access to user - hive_user1

But somehow, it is using hdfs user to access Hive.

Any ideas on this ?

attached is the screenshot of the user, and the error obtained.

screen-shot-2016-12-02-at-61927-pm.png

screen-shot-2016-12-02-at-62808-pm.png

6,880 Views
0 Kudos
0
1 ACCEPTED SOLUTION
16 REPLIES 16

avatar
Former Member

Created ‎12-03-2016 05:53 AM

@Karan Alang

What is the value you have set for "hive.server2.enable.doAs" (true/false). By default HiveServer2 performs the query processing as the user who submitted the query. But if the following parameter is set to false, the query will run as the user that the hiveserver2 process runs as.

https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Imperso...

Also do you have Ranger installed in your cluster?

5,362 Views
0 Kudos

avatar
Former Member

Created ‎12-03-2016 07:38 AM

@Karan Alang

Good to know that you are able to access the table using HIVE VIEW after adding the permission from Ranger side.

Also regarding your query Where you said that Why do you still see [hdfs] user and you mentioned that "you have set "hive.server2.enable.doAs" is set to false in hive-site.xml

The hive.server2.enable.doAs – Impersonate the connected user, default true. Means the query processing as the user who submitted the query.

5,362 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎12-03-2016 07:38 AM

@jss - this is set to false in hive-site.xml .. what should the value be set to ?

I tried changing to true, but the error is still the same

yes, ranger is installed, i'm changing permissions using Ranger.

5,362 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎12-03-2016 06:06 PM

@jss - actually, this is not working as desired.. i don't want to put 'hdfs' as group within Ranger, instead i want to be able to control access using users - hive_user1 or hdfs_user2 (instead of using service account - hdfs for controlling access).

5,362 Views
0 Kudos

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎12-03-2016 06:07 AM

Is this external table? if so can you verify you have access to the underlying hdfs table. if you have impersonation turned on, then you have to control access from both hive and hdfs.

5,362 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎12-03-2016 06:48 AM

@Sunile Manjee, this is regular table .. not external table

Attaching the Table definition, also permissions at the hdfs level is as shown below -

I'm able to access the table - test - from the command line.

I'm currently trying to restrict access from the Hive View.

-------------------------------------------------------------------------------------------------------------

hive> dfs -ls /apps/hive/warehouse/;

Found 5 items drwxrwxrwx - hdfs hdfs 0 2016-12-01 22:32 /apps/hive/warehouse/test

test-ddl.txt
Preview file
2 KB
5,362 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎12-05-2016 02:47 AM

@Sunile Manjee -

when you say - if you have impersonation turned on (i.e. set hive.server2.enable.doAs = true), control access from both hive and hdfs - do you mean to say that i've to change the permissions in hdfs as well (i.e group) ?

what if impersonation is turned off ?

Pls. clarify.

5,362 Views
0 Kudos

avatar
author-rank dkozlowski
Guru

Created ‎12-03-2016 06:35 AM

@Karan Alang

If you have Kerberized cluster - the usual things to check:

> Setup HDFS Proxy User - http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_ambari_views_guide/content/_setup_HDFS_pr...

> Set Up Kerberos for Ambari Server - http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_Ambari_Security_Guide/content/_optional_s...

> Kerberos Setup for Hive Views - http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_ambari_views_guide/content/section_kerber...

6,566 Views
0 Kudos
0

avatar
author-rank karan_alang1
Expert Contributor

Created ‎12-05-2016 12:01 AM

@Sunile Manjee, @Daniel Kozlowski - the above steps you mentioned are already done, hence i'm able to access the HIVE VIEW on Kerberized HDP2.4

Attaching the screen shot of the HIVE VIEW config, made some minor change -now getting the following error ..

-------------------------------

Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [ambari-server] does not have [SELECT] privilege on [default/test/sno] [ERROR_STATUS]

-----------------

Any ideas on this ?

I'm able to access the Hive table if i add ambari-ranger to Ranger policy, but it is not able to access if i give only the users - hive_user1, hive_user2 acess to the table - 'test'ambari-hive-view-hdp24-1.pdf

ambari-hive-view-hdp24-1.pdf
Preview file
73 KB
5,362 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements