Created 03-08-2016 10:12 AM
workflow.xmlTrying to run an Oozie Hive2 action in kerberized cluster with HS2 transport set to http (to support Knox), I'm getting the following error:
ACTION[0000010-1...6-oozie-oozi-W@hive2-node] Exception in addtoJobConforg.apache.hive.service.cli.HiveSQLException: Delegation token only supported over kerberos authentication
I set
jdbcUrl=jdbc:hive2://oozie1.example.com:10000/default;ssl=false;transportMode=http;httpPath=cliservice
and hive principal to hive/hive2.example.com@EXAMPLE.COM and I can see in the log that the final URL was constructed correctly by concat-ing jdbcUrl and the principal, but I get the exception. Has anybody been able to make this run and how? BTW, Hive's doAs=false, as I found some articles claiming this to be the solution, but not for me 😞
Attaching the workflow, it's from Oozie examples, with added credentials and the password. jdbcUrl and the principal are given above.
Created 03-08-2016 06:24 PM
HTTP transport mode of HS2 + kerberos + Oozie Hive2 action is not supported in current releases of HDP. It will be fixed in next maintenance release of HDP 2.4 .
This is the apache jira tracking it - https://issues.apache.org/jira/browse/HIVE-13169
Created 03-08-2016 11:17 AM
Can you share your workflow? Did you add the Hive2Credential in the action?
Actually not completely sure if needed in a Hive2 Action but I assume so. He gets the information like keytab from the hive-site.xml
https://oozie.apache.org/docs/4.2.0/DG_ActionAuthentication.html
Does the same URL work from beeline?
Created 03-08-2016 12:01 PM
Just put the workflow.xml, and yes, the same URL with the principal works from beeline.
Created 03-08-2016 06:24 PM
HTTP transport mode of HS2 + kerberos + Oozie Hive2 action is not supported in current releases of HDP. It will be fixed in next maintenance release of HDP 2.4 .
This is the apache jira tracking it - https://issues.apache.org/jira/browse/HIVE-13169
Created 03-09-2016 12:58 AM
Thanks for chiming in! It seems it was resolved just a few days ago. We'll be waiting for the fix.
 
					
				
				
			
		
