can you share screenshot of your repo config , I want to see which is the repo user ? ... View more

can you check hadoop.security.auth_to_local config in hdfs & hdfs repo also , if rule is specified for nn , RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/ so that call is sent as hdfs user , and since hdfs user is in policy,download.auth.users so it will be alllowed to download the policy and make sure same config is pres in hdfs repo config also check this config: RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// RULE:[2:$1@$0](activity_analyzer@EXAMPLE.COM)s/.*/activity_analyzer/ RULE:[2:$1@$0](activity_explorer@EXAMPLE.COM)s/.*/activity_explorer/ RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/ RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](hive@EXAMPLE.COM)s/.*/hive/ RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0](knox@EXAMPLE.COM)s/.*/knox/ RULE:[2:$1@$0](nfs@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](rangeradmin@EXAMPLE.COM)s/.*/ranger/ RULE:[2:$1@$0](rangertagsync@EXAMPLE.COM)s/.*/rangertagsync/ RULE:[2:$1@$0](rangerusersync@EXAMPLE.COM)s/.*/rangerusersync/ RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/ DEFAULT ... View more

did you regenerated keytabs and restarted service? ... View more

can you please check if ranger is also kerberised , because if it is hdp2.5 or above then it will be kerberised. if it is then can you please try following 1) regenerating keytabs from ambari and restart the services. 2) add following properties in the repos on ranger: policy.grantrevoke.auth.users: hbase ( or corresponding service user) tag.download.auth.users: hbase ( or corresponding service user) policy.download.auth.users: hbase (or corresponding service user) same way these properties to be added in hdfs repo too , and service user will be hdfs or what ever you have in your cluster. ... View more

dvillarreal thanks for the reply, actually this issues fix is there in my cluster, i am using knox 0.12.0. i have httpclient-4.5.1.jar in knox lib, and the issue you had mentioned has impacted WEBHDFS too, but for me WEBHDFS flow works , i am facing issue only with hive, ... View more

Vipin, tried configuring two way ssl also , it does not work, so strange part is : 1) the error i am getting does not seems relevant to wire encryption 2) but whenever i disable ssl for hive, knox to hive flow it start working ... View more

yes surya it is set to true ... View more

hey thanks @Vipin Rathor for reply >> 1. Have you checked that Beeline works fine without Knox & using HS2 (over SSL) directly yes beeline works using HS2 over ssl 2. Also after enabling SSL for Hive, you need to establish trust between Knox service and HS2 by importing their certificates into each other's truststore. Have you done this? >> I sense here one way ssl should be enough, assuming for hbase and webhdfs one way ssl works, i have not imported knox crt into hive truststore, so i guess behaviour should be same here also ... View more