Support Questions

Find answers, ask questions, and share your expertise

Kerberized HDP 2.4 - getting error in using Hive View on Ambari

avatar
Expert Contributor

Hi All,

I've a kerberized HDP 2.4 - and i've created user - hive_user1

I logon to Hive View on Ambari, and fire simple query - select * from test

The error i get is shown below -

-------------------------------

Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hdfs] does not have [SELECT] privilege on [default/test/sno] [ERROR_STATUS]

-----------------------------

Pls note - i've disabled Global access to Hive, but given access to user - hive_user1

But somehow, it is using hdfs user to access Hive.

Any ideas on this ?

attached is the screenshot of the user, and the error obtained.

screen-shot-2016-12-02-at-61927-pm.png

screen-shot-2016-12-02-at-62808-pm.png

1 ACCEPTED SOLUTION
16 REPLIES 16

avatar
Expert Contributor

@Daniel Kozlowski - pls see response to your note above.

avatar

@Karan Alang

As previously mentioned:

> hive.server2.enable.doAs - Setting this property to true will have HiveServer2 execute Hive operations as the user making the calls to it - so set this property to TRUE

> review your hive view settings (see all 3 URLs I already posted) - based on what I can see, at least, Hive Authentication is incorrect. This is to be:

auth=KERBEROS;principal=hive/_HOST@EXAMPLE.COM;hive.server2.proxy.user=${username} - where EXAMPLE.COM is your REALM

avatar
Expert Contributor

@Daniel Kozlowski - thanks for your input on this, i was able to make this work !

The missing entry (as you mentioned) was ->

hive.server2.proxy.user=${username} in Hive Authorization

After adding this, i'm able to control access to Hive tables using Ranger .

However, there is still one issue which needs clarification .. the value of constant -> hive.server2.enable.doAs does not seem to be affecting behavior. Even when it is set to false (or true), the above behavior is seen.

Any ideas/comments on this ?

avatar

@Karan Alang

Ensure you have: hive.server2.enable.doAs=true

Also set the following properties to *

hadoop.proxyuser.hive.hosts=*

hadoop.proxyuser.hive.groups=*

NOTE: I appreciate if you vote for all the answers that helped you fixing the problem.

avatar
Expert Contributor
screen-shot-2016-12-02-at-112143-pm.png

@Sunile Manjee, @Daniel Kozlowski, @jss - attaching the screenshot of permissions on Ranger.

if i add user - hdfs - and provide read access - i'm able to access the table using HIVE VIEW.

avatar
Expert Contributor

@Kuldeep Kulkarni - any ides on how to fix this ?

avatar
Expert Contributor

@Kuldeep Kulkarni, @Sunile Manjee, @Daniel Kozlowski

This is what i see in the logs ->

2016-12-04 23:54:35,491 INFO [HiveServer2-Handler-Pool: Thread-76]: security.SecureClientUtils (SecureClientUtils.java:getClientConnectionHandler(94)) - doAsUser: ambari-server

so, seem it is trying to access the HIve instance as user - ambari-user.. how do i get it to access Hive as custom users (hive_user1 or hive_user2)