Hive -version : hive-1.2.1000.2.4.0.0
I upgraded our test cluster with hive-1.2.1000.2.4.0.0. After the upgrade, I am unable to impersonate any user when running hive query using HS2.
Following property were set.
[hive@usw2dydpmn01 hive]$ beeline WARNING: Use "yarn jar" to launch YARN applications. Beeline version 1.2.1000.2.4.0.0-169 by Apache Hive beeline> !connect jdbc:hive2://usw2dydpmn01:10010 Connecting to jdbc:hive2://usw2dydpmn01:10010 Enter username for jdbc:hive2://usw2dydpmn01:10010: hive Enter password for jdbc:hive2://usw2dydpmn01:10010: Error: Failed to open new session: java.lang.RuntimeException: java.lang.RuntimeException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: hive is not allowed to impersonate hive (state=,code=0)
updating with more info.
Hive impersonation was already exists. After the HDP upgrade , it is not working. The problem exists only in hive-server2. If I run the query using hive-cli, then it is impersonating the user and it is running as expected.
If I make this property to false, then all the queries are running.
It seems the user info had been deleted from the proxyuser property. Not sure how it was working before upgrade. After adding the user back that list it is working fine.
If the data in your system is not owned by the Hive user (i.e., the user
that the Hive metastore runs as), then Hive will need permission to run
as the user who owns the data in order to perform compactions. If you
have already set up HiveServer2 to impersonate users, then the only
additional work to do is assure that Hive has the right to impersonate
users from the host running the Hive metastore. This is done by adding
the hostname to
hadoop.proxyuser.hive.hosts in Hadoop's
file. If you have not already done this, then you will need to
configure Hive to act as a proxy user. This requires you to set up
keytabs for the user running the Hive metastore and add
hadoop.proxyuser.hive.groups to Hadoop's
Hive impersonation is already exists. After the HDP upgrade , it is not working.
The problem exists only in hive-server2. If I run the query using hive-cli, then it is impersonating the user and it is running as expected.
Setting hive.server2.enable.doAs=false will always work since jobs will run under the ownership of user who is owning the HS2 process. If everything is perfect from confs side regards to impersonation then if possible it worth to restart the cluster processes and see if that resolve the issue.