Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberized HDP 2.4 - getting error in using Hive View on Ambari

avatar
Expert Contributor

Hi All,

I've a kerberized HDP 2.4 - and i've created user - hive_user1

I logon to Hive View on Ambari, and fire simple query - select * from test

The error i get is shown below -

-------------------------------

Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hdfs] does not have [SELECT] privilege on [default/test/sno] [ERROR_STATUS]

-----------------------------

Pls note - i've disabled Global access to Hive, but given access to user - hive_user1

But somehow, it is using hdfs user to access Hive.

Any ideas on this ?

attached is the screenshot of the user, and the error obtained.

screen-shot-2016-12-02-at-61927-pm.png

screen-shot-2016-12-02-at-62808-pm.png

1 ACCEPTED SOLUTION
16 REPLIES 16

avatar

@Karan Alang

What is the value you have set for "hive.server2.enable.doAs" (true/false). By default HiveServer2 performs the query processing as the user who submitted the query. But if the following parameter is set to false, the query will run as the user that the hiveserver2 process runs as.

https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Imperso...

Also do you have Ranger installed in your cluster?

avatar

@Karan Alang

Good to know that you are able to access the table using HIVE VIEW after adding the permission from Ranger side.

Also regarding your query Where you said that Why do you still see [hdfs] user and you mentioned that "you have set "hive.server2.enable.doAs" is set to false in hive-site.xml

The hive.server2.enable.doAs – Impersonate the connected user, default true. Means the query processing as the user who submitted the query.

avatar
Expert Contributor

@jss - this is set to false in hive-site.xml .. what should the value be set to ?

I tried changing to true, but the error is still the same

yes, ranger is installed, i'm changing permissions using Ranger.

avatar
Expert Contributor

@jss - actually, this is not working as desired.. i don't want to put 'hdfs' as group within Ranger, instead i want to be able to control access using users - hive_user1 or hdfs_user2 (instead of using service account - hdfs for controlling access).

avatar
Master Guru

Is this external table? if so can you verify you have access to the underlying hdfs table. if you have impersonation turned on, then you have to control access from both hive and hdfs.

avatar
Expert Contributor

@Sunile Manjee, this is regular table .. not external table

Attaching the Table definition, also permissions at the hdfs level is as shown below -

I'm able to access the table - test - from the command line.

I'm currently trying to restrict access from the Hive View.

-------------------------------------------------------------------------------------------------------------

hive> dfs -ls /apps/hive/warehouse/;

Found 5 items drwxrwxrwx - hdfs hdfs 0 2016-12-01 22:32 /apps/hive/warehouse/test

avatar
Expert Contributor

@Sunile Manjee -

when you say - if you have impersonation turned on (i.e. set hive.server2.enable.doAs = true), control access from both hive and hdfs - do you mean to say that i've to change the permissions in hdfs as well (i.e group) ?

what if impersonation is turned off ?

Pls. clarify.

avatar

avatar
Expert Contributor

@Sunile Manjee, @Daniel Kozlowski - the above steps you mentioned are already done, hence i'm able to access the HIVE VIEW on Kerberized HDP2.4

Attaching the screen shot of the HIVE VIEW config, made some minor change -now getting the following error ..

-------------------------------

Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [ambari-server] does not have [SELECT] privilege on [default/test/sno] [ERROR_STATUS]

-----------------

Any ideas on this ?

I'm able to access the Hive table if i add ambari-ranger to Ranger policy, but it is not able to access if i give only the users - hive_user1, hive_user2 acess to the table - 'test'ambari-hive-view-hdp24-1.pdf