Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to impersonate users when using HiveServer2


Unable to impersonate users when using HiveServer2

New Contributor

I have a server app that uses impersonation to run Hive queries on behalf of users.  Every query that I execute is wrapped in a UserGroupInformation.doAs call.  When I run that server app on CDH4 set up for HiveServer2, it looks like HiveServer2 impersonation always runs the query as my server app's security principal, rather than as the principal that I am proxying.


I have configured core-site.xml to allow my server app to proxy users.  My app always executes queries using the following general sequence,wrapped inside a doAs:

conf = new HiveConf(Driver)
driver = new Driver(conf)
state = new SessionState(conf)
configure the session state
driver.compile and drriver.execute

In the Hive warehouse, all databases and tables seem to be created with the owner set to the server app's userid, rather than the impersonated user's userid.  When I prepare data for a new table, I load the data into a directory created in the user's temporary folder (/user/{username}/tmp/..., and execute a query to load the data into a new Hive table.  I get a permission error when Hive attempts to move the data into the warehouse, because it is executing the move operation as the server app rather than as the proxied user, and is not allowed to write to the user's temporary directory.


Re: Unable to impersonate users when using HiveServer2

Master Guru

The way you're invoking the Driver/etc. internal classes is making your code bypass the HS2 altogether and run its own jobs. If you wish to talk via HS2, you would need to use its JDBC Driver or Thrift (TCLIService) APIs.
Don't have an account?
Coming from Hortonworks? Activate your account here