Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

hive view failing with errorMessage:Failed to validate proxy privilege of ambari-qa for gv07680

Rising Star

Hi,

I created a hive view instance but when I try to run a query it gives below error

Caused by: org.apache.thrift.protocol.TProtocolException: Required field 'serverProtocolVersion' is unset! Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of ambari-qa for gv07680:33:32, org.apache.hive.service.auth.HiveAuthFactory:verifyProxyAccess:HiveAuthFactory.java:359, org.apache.hive.service.cli.thrift.ThriftCLIService:getProxyUser:ThriftCLIService.java:731, org.apache.hive.service.cli.thrift.ThriftCLIService:getUserName:ThriftCLIService.java:367, org.apache.hive.service.cli.thrift.ThriftCLIService:getSessionHandle:ThriftCLIService.java:394, org.apache.hive.service.cli.thrift.ThriftCLIService:OpenSession:ThriftCLIService.java:297, org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1253, org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession:getResult:TCLIService.java:1238, org.apache.thrift.ProcessFunction:process:ProcessFunction.java:39, org.apache.thrift.TBaseProcessor:process:TBaseProcessor.java:39, org.apache.thrift.server.TServlet:doPost:TServlet.java:83, org.apache.hive.service.cli.thrift.ThriftHttpServlet:doPost:ThriftHttpServlet.java:171, javax.servlet.http.HttpServlet:service:HttpServlet.java:727, javax.servlet.http.HttpServlet:service:HttpServlet.java:820, org.eclipse.jetty.servlet.ServletHolder:handle:ServletHolder.java:565, org.eclipse.jetty.servlet.ServletHandler:doHandle:ServletHandler.java:479, org.eclipse.jetty.server.session.SessionHandler:doHandle:SessionHandler.java:225, org.eclipse.jetty.server.handler.ContextHandler:doHandle:ContextHandler.java:1031, org.eclipse.jetty.servlet.ServletHandler:doScope:ServletHandler.java:406, org.eclipse.jetty.server.session.SessionHandler:doScope:SessionHandler.java:186, org.eclipse.jetty.server.handler.ContextHandler:doScope:ContextHandler.java:965, org.eclipse.jetty.server.handler.ScopedHandler:handle:ScopedHandler.java:117, org.eclipse.jetty.server.handler.HandlerWrapper:handle:HandlerWrapper.java:111, org.eclipse.jetty.server.Server:handle:Server.java:349, org.eclipse.jetty.server.AbstractHttpConnection:handleRequest:AbstractHttpConnection.java:449, org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler:content:AbstractHttpConnection.java:925, org.eclipse.jetty.http.HttpParser:parseNext:HttpParser.java:857, org.eclipse.jetty.http.HttpParser:parseAvailable:HttpParser.java:235, org.eclipse.jetty.server.AsyncHttpConnection:handle:AsyncHttpConnection.java:76, org.eclipse.jetty.io.nio.SelectChannelEndPoint:handle:SelectChannelEndPoint.java:609, org.eclipse.jetty.io.nio.SelectChannelEndPoint$1:run:SelectChannelEndPoint.java:45, java.util.concurrent.ThreadPoolExecutor:runWorker:ThreadPoolExecutor.java:1145, java.util.concurrent.ThreadPoolExecutor$Worker:run:ThreadPoolExecutor.java:615, java.lang.Thread:run:Thread.java:745, *org.apache.hadoop.security.authorize.AuthorizationException:User: ambari-qa is not allowed to impersonate gv07680:0:-1], sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of ambari-qa for gv07680), serverProtocolVersion:null)

I did kerberos setup for ambari user using ambari-server setup-security with ambari-qa as the ambari user.

I did set up proxyuser settings in core-site.xml file using below configs

hadoop.proxyuser.ambari-server.groups: *

hadoop.proxyuser.ambari-server.hosts: *

We are using ambari-2.2.2 and HDP-2.3.0.

Below are the configs for Hiev view instance

Hive Authentication: auth=KERBEROS;principal=hive/_HOST@HADOOP.COM;hive.server2.proxy.user=gv07680

WebHDFS Username: gv07680

WebHDFS Authentication: auth=KERBEROS;proxyuser=ambari-qa@HADOOP.COM

Scripts HDFS Directory*: /user/gv07680/hive/scripts

HiveServer2 Thrift port*: 10001

HiveServer2 Http port*: 10001HiveServer2 Http path*: cliserviceHiveServer2 Transport Mode*: http

WebHDFS FileSystem URI*: webhdfs://hostname:50070

There is no HA, so no HA related configs.

But still I see the Failed to validate proxy privilege of ambari-qa for gv07680 error

Below is the config for /etc/ambari-server/conf/krb5JAASLogin.conf

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

renewTGT=false

doNotPrompt=true

useKeyTab=true

keyTab="/etc/security/keytabs/smokeuser.headless.keytab"

principal="ambari-qa@BCBSA.COM" storeKey=true useTicketCache=false;

};

Please advise.

1 ACCEPTED SOLUTION

@Venkata Sridhar Gangavarapu

May I know on which user ambari server installed? root or some other user?

If root please add below properties: LINK

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

1. If your cluster is Kerberosed then follow below steps:

Go to Hive Service --> Configs --> General and change below property to

hive.server2.thrift.sasl.qop = auth-conf 

Restart all the affected services to make sure changed are set. Then go to Ambari Views server, Manage Ambari --> Hive View --> Setting

HiveAuthentication= auth=KERBEROS;principal=hive/_HOST@EXAMPLE.COM;hive.server2.proxy.user=${username};saslQop=auth-conf

Let me know if this helps you.

View solution in original post

3 REPLIES 3

@Venkata Sridhar Gangavarapu

May I know on which user ambari server installed? root or some other user?

If root please add below properties: LINK

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

1. If your cluster is Kerberosed then follow below steps:

Go to Hive Service --> Configs --> General and change below property to

hive.server2.thrift.sasl.qop = auth-conf 

Restart all the affected services to make sure changed are set. Then go to Ambari Views server, Manage Ambari --> Hive View --> Setting

HiveAuthentication= auth=KERBEROS;principal=hive/_HOST@EXAMPLE.COM;hive.server2.proxy.user=${username};saslQop=auth-conf

Let me know if this helps you.

Rising Star

Hi Sri,

Thanks for the response.

It did work.

Thank you so much for your help.

I accept this answer.

@Venkata Sridhar Gangavarapu

Thanks buddy, Glad to know it works.