Support Questions
Find answers, ask questions, and share your expertise

hive view failing with errorMessage:Failed to validate proxy privilege of ambari-qa for gv07680

Rising Star

Hi,

I created a hive view instance but when I try to run a query it gives below error

Caused by: org.apache.thrift.protocol.TProtocolException: Required field 'serverProtocolVersion' is unset! Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of ambari-qa for gv07680:33:32, org.apache.hive.service.auth.HiveAuthFactory:verifyProxyAccess:HiveAuthFactory.java:359, org.apache.hive.service.cli.thrift.ThriftCLIService:getProxyUser:ThriftCLIService.java:731, org.apache.hive.service.cli.thrift.ThriftCLIService:getUserName:ThriftCLIService.java:367, org.apache.hive.service.cli.thrift.ThriftCLIService:getSessionHandle:ThriftCLIService.java:394, org.apache.hive.service.cli.thrift.ThriftCLIService:OpenSession:ThriftCLIService.java:297, org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1253, org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1238, org.apache.thrift.ProcessFunction:process:ProcessFunction.java:39, org.apache.thrift.TBaseProcessor:process:TBaseProcessor.java:39, org.apache.thrift.server.TServlet:doPost:TServlet.java:83, org.apache.hive.service.cli.thrift.ThriftHttpServlet:doPost:ThriftHttpServlet.java:171, javax.servlet.http.HttpServlet:service:HttpServlet.java:727, javax.servlet.http.HttpServlet:service:HttpServlet.java:820, org.eclipse.jetty.servlet.ServletHolder:handle:ServletHolder.java:565, org.eclipse.jetty.servlet.ServletHandler:doHandle:ServletHandler.java:479, org.eclipse.jetty.server.session.SessionHandler:doHandle:SessionHandler.java:225, org.eclipse.jetty.server.handler.ContextHandler:doHandle:ContextHandler.java:1031, org.eclipse.jetty.servlet.ServletHandler:doScope:ServletHandler.java:406, org.eclipse.jetty.server.session.SessionHandler:doScope:SessionHandler.java:186, org.eclipse.jetty.server.handler.ContextHandler:doScope:ContextHandler.java:965, org.eclipse.jetty.server.handler.ScopedHandler:handle:ScopedHandler.java:117, org.eclipse.jetty.server.handler.HandlerWrapper:handle:HandlerWrapper.java:111, org.eclipse.jetty.server.Server:handle:Server.java:349, org.eclipse.jetty.server.AbstractHttpConnection:handleRequest:AbstractHttpConnection.java:449, org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler:content:AbstractHttpConnection.java:925, org.eclipse.jetty.http.HttpParser:parseNext:HttpParser.java:857, org.eclipse.jetty.http.HttpParser:parseAvailable:HttpParser.java:235, org.eclipse.jetty.server.AsyncHttpConnection:handle:AsyncHttpConnection.java:76, org.eclipse.jetty.io.nio.SelectChannelEndPoint:handle:SelectChannelEndPoint.java:609, org.eclipse.jetty.io.nio.SelectChannelEndPoint$1:run:SelectChannelEndPoint.java:45, java.util.concurrent.ThreadPoolExecutor:runWorker:ThreadPoolExecutor.java:1145, java.util.concurrent.ThreadPoolExecutor$Worker:run:ThreadPoolExecutor.java:615, java.lang.Thread:run:Thread.java:745, *org.apache.hadoop.security.authorize.AuthorizationException:User: ambari-qa is not allowed to impersonate gv07680:0:-1], sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of ambari-qa for gv07680), serverProtocolVersion:null)

I did kerberos setup for ambari user using ambari-server setup-security with ambari-qa as the ambari user.

I did set up proxyuser settings in core-site.xml file using below configs

hadoop.proxyuser.ambari-server.groups: *

hadoop.proxyuser.ambari-server.hosts: *

We are using ambari-2.2.2 and HDP-2.3.0.

Below are the configs for Hiev view instance

Hive Authentication: auth=KERBEROS;principal=hive/_HOST@HADOOP.COM;hive.server2.proxy.user=gv07680

WebHDFS Username: gv07680

WebHDFS Authentication: auth=KERBEROS;proxyuser=ambari-qa@HADOOP.COM

Scripts HDFS Directory*: /user/gv07680/hive/scripts

HiveServer2 Thrift port*: 10001

HiveServer2 Http port*: 10001HiveServer2 Http path*: cliserviceHiveServer2 Transport Mode*: http

WebHDFS FileSystem URI*: webhdfs://hostname:50070

There is no HA, so no HA related configs.

But still I see the Failed to validate proxy privilege of ambari-qa for gv07680 error

Below is the config for /etc/ambari-server/conf/krb5JAASLogin.conf

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

renewTGT=false

doNotPrompt=true

useKeyTab=true

keyTab="/etc/security/keytabs/smokeuser.headless.keytab"

principal="ambari-qa@BCBSA.COM" storeKey=true useTicketCache=false;

};

Please advise.

1 ACCEPTED SOLUTION

Accepted Solutions

@Venkata Sridhar Gangavarapu

May I know on which user ambari server installed? root or some other user?

If root please add below properties: LINK

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

1. If your cluster is Kerberosed then follow below steps:

Go to Hive Service --> Configs --> General and change below property to

hive.server2.thrift.sasl.qop = auth-conf 

Restart all the affected services to make sure changed are set. Then go to Ambari Views server, Manage Ambari --> Hive View --> Setting

HiveAuthentication= auth=KERBEROS;principal=hive/_HOST@EXAMPLE.COM;hive.server2.proxy.user=${username};saslQop=auth-conf

Let me know if this helps you.

View solution in original post

3 REPLIES 3

@Venkata Sridhar Gangavarapu

May I know on which user ambari server installed? root or some other user?

If root please add below properties: LINK

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

1. If your cluster is Kerberosed then follow below steps:

Go to Hive Service --> Configs --> General and change below property to

hive.server2.thrift.sasl.qop = auth-conf 

Restart all the affected services to make sure changed are set. Then go to Ambari Views server, Manage Ambari --> Hive View --> Setting

HiveAuthentication= auth=KERBEROS;principal=hive/_HOST@EXAMPLE.COM;hive.server2.proxy.user=${username};saslQop=auth-conf

Let me know if this helps you.

View solution in original post

Rising Star

Hi Sri,

Thanks for the response.

It did work.

Thank you so much for your help.

I accept this answer.

@Venkata Sridhar Gangavarapu

Thanks buddy, Glad to know it works.