Reply
Contributor
Posts: 44
Registered: ‎07-28-2016

Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Hello - 

In HUE I can run two queries...on two different tables, but when I attempt to run a single query that joins them, I get the following error:

 

Error while compiling statement: FAILED: SemanticException Unable to compare key strength for hdfs://hanameservice/user/hive/warehouse/testdb.db/provider_md_hierarchy and hdfs://hanameservice/user/hive/warehouse/testdb.db/pg_md_survey : org.apache.hadoop.security.authorize.AuthorizationException: User:hive not allowed to do 'GET_METADATA' on 'hive'

 

I searched around and couldn't find anything that helps.  Does anyone have idea on where i can start looking to find a solution?

 

 

thanks - douglas

 

 

Cloudera Employee
Posts: 585
Registered: ‎03-23-2015

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

[ Edited ]

Hi,

 

Can you try to add the following to KMS configuration?

 

 

<property> 
  <name>hadoop.kms.acl.GET_METADATA</name> 
  <value>{{group_list}}</value> 
  <description> 
    ACL for get-key-metadata and get-keys-metadata operations. 
  </description> 
</property>

Add "hive" to the {{group_list}}, and then restart KMS to see if it helps.


Thanks

Contributor
Posts: 44
Registered: ‎07-28-2016

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Hi...Thanks for the suggestion.  I ended up creating a support ticket the other day and was able to add the hive user to a few different KMS settings and that did solve the problem

 

thanks.

Cloudera Employee
Posts: 585
Registered: ‎03-23-2015

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Hi,

 

I am glad that issue has been resolved.

 

For the benefits of other community users, are you able to outline on what you have done to resolve the issue? Much appreciate your contribution.

 

Thanks

Eric

Contributor
Posts: 34
Registered: ‎09-03-2015

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

I added hive user to the below two properties in the kms-acls.xml to make it work.

 

hadoop.kms.acl.GET_METADATA

whitelist.key.acl.READ

 

Also, I noticed that this happens only when we are doing a JOIN on two tables. When we are querying a single table, it is fine. Are the GET_METADATA and READ operations happening on HDFS on the parquet metadata OR on the Hive Warehouse?

New Contributor
Posts: 2
Registered: ‎06-06-2016

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

I am also getting a similar kind of error, I followed the above steps , still my issue is not fixed, any help is appreciated.

 

hdfs://nameservice1/uat/rwa/st/st_gf/int_rfnd : org.apache.hadoop.security.authorize.AuthorizationException: User:hdmock not allowed to do 'GET_METADATA' on 'cdh'

 

Thanks

Contributor
Posts: 44
Registered: ‎07-28-2016

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

Hello...

I just checked on our cluster and the 'hive' user is on the following ACLs

 

hadoop.kms.acl.GET_METADATA
hadoop.kms.acl.DECRYPT_EEK

default.key.acl.READ

whitelist.key.acl.MANAGEMENT
whitelist.key.acl.READ
whitelist.key.acl.DECRYPT_EEK
hadoop.kms.acl.DECRYPT_EEK

Highlighted
Cloudera Employee
Posts: 718
Registered: ‎07-30-2013

Re: Error Hive query - hive not allowed to do 'GET_METADATA' on 'hive'

You should have better help on the Security/KMS section than Hue for this
issue: http://community.cloudera.com/t5/Security-Apache-Sentry/bd-p/Security
Announcements