Support Questions

anand_ranganath · ‎05-20-2016

Hive -version : hive-1.2.1000.2.4.0.0

I upgraded our test cluster with hive-1.2.1000.2.4.0.0. After the upgrade, I am unable to impersonate any user when running hive query using HS2.

Following property were set.

hive.server2.enable.doAs=true.

 

[hive@usw2dydpmn01 hive]$ beeline
WARNING: Use "yarn jar" to launch YARN applications.
Beeline version 1.2.1000.2.4.0.0-169 by Apache Hive
beeline> !connect jdbc:hive2://usw2dydpmn01:10010
Connecting to jdbc:hive2://usw2dydpmn01:10010
Enter username for jdbc:hive2://usw2dydpmn01:10010: hive
Enter password for jdbc:hive2://usw2dydpmn01:10010:
Error: Failed to open new session: java.lang.RuntimeException: java.lang.RuntimeException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: hive is not allowed to impersonate hive (state=,code=0)

Edit 1:

updating with more info.

Hive impersonation was already exists. After the HDP upgrade , it is not working. The problem exists only in hive-server2. If I run the query using hive-cli, then it is impersonating the user and it is running as expected.

If I make this property to false, then all the queries are running.

hive.server2.enable.doAs=true.

Report Inappropriate Content · ‎05-20-2016

Have you set the following properties to *

hadoop.proxyuser.hive.hosts=*

hadoop.proxyuser.hive.groups=*

View solution in original post

Report Inappropriate Content · ‎05-20-2016

Have you set the following properties to *

hadoop.proxyuser.hive.hosts=*

hadoop.proxyuser.hive.groups=*

anand_ranganath · ‎05-23-2016

It seems the user info had been deleted from the proxyuser property. Not sure how it was working before upgrade. After adding the user back that list it is working fine.

Report Inappropriate Content · ‎05-20-2016

Please see: https://cwiki.apache.org/confluence/display/Hive/Hive+Transactions#HiveTransactions-ConfigurationVal...

If the data in your system is not owned by the Hive user (i.e., the user that the Hive metastore runs as), then Hive will need permission to run as the user who owns the data in order to perform compactions. If you have already set up HiveServer2 to impersonate users, then the only additional work to do is assure that Hive has the right to impersonate users from the host running the Hive metastore. This is done by adding the hostname to hadoop.proxyuser.hive.hosts in Hadoop's core-site.xml file. If you have not already done this, then you will need to configure Hive to act as a proxy user. This requires you to set up keytabs for the user running the Hive metastore and add hadoop.proxyuser.hive.hosts and hadoop.proxyuser.hive.groups to Hadoop's core-site.xml file.

anand_ranganath · ‎05-20-2016

Hive impersonation is already exists. After the HDP upgrade , it is not working.

The problem exists only in hive-server2. If I run the query using hive-cli, then it is impersonating the user and it is running as expected.

jyadav · ‎05-22-2016

@Anandha L Ranganathan

Setting hive.server2.enable.doAs=false will always work since jobs will run under the ownership of user who is owning the HS2 process. If everything is perfect from confs side regards to impersonation then if possible it worth to restart the cluster processes and see if that resolve the issue.

Cloudera Community

Support Questions

hive impersonation not working after HDP upgrade to 2.4.0.0