@Hadoop16 FYI ➤ This error occurs because of a token delegation gap between Hive and the HDFS Router. In a Kerberized cluster, when Hive (running on a DataNode/Compute node via Tez or MapReduce) attempts to write to HDFS, it needs a Delegation Token. When you use an HDFS Router address, Hive must be explicitly told to obtain a token specifically for the Router's service principal, which may be different from the backend NameNodes.   ➤ The Root Cause The error Client cannot authenticate via:[TOKEN, KERBEROS] at the FileSinkOperator stage indicates that the tasks running on your worker nodes do not have a valid token to "speak" to the Router at router_host:8888. When Hive plans the job, it usually fetches tokens for the default filesystem. If your fs.defaultFS is set to a regular NameNode but your table location is an RBF address, Hive might not be fetching the secondary token required for the Router.   ➤  The Fix: Configure Token Requirements You need to ensure Hive and the underlying MapReduce/Tez framework know to fetch tokens for the Router's URI.   1. Add the Router URI to Hive's Token List In your Hive session (or globally in hive-site.xml), you must define the Router as a "known" filesystem that requires tokens.     SET hive.metastore.token.signature=hdfs://router_host:8888; SET mapreduce.job.hdfs-servers=hdfs://router_host:8888,hdfs://nameservice-backend;   2. Configure HDFS Client to "Trust" the Router for Tokens   In core-site.xml or hdfs-site.xml, you need to enable the Router to act as a proxy for the backend NameNodes so it can pass the tokens correctly.   <property>   <name>dfs.federation.router.delegation.token.enable</name>   <value>true</value> </property>   ➤  Critical Kerberos Configuration Because the Router is an intermediary, it must be allowed to impersonate the user (Hive) when talking to the backend. Ensure your ProxyUser settings in core-site.xml include the Router's service principal. Assuming your Router runs as the hdfs or router user:   <property>   <name>hadoop.proxyuser.router.groups</name>   <value>*</value> </property> <property>   <name>hadoop.proxyuser.router.hosts</name>   <value>*</value> </property>   ➤ Diagnostic Verification To prove if the token is missing, run this command from the datanode_host mentioned in your error logs using the same user running the Hive job:   # Check if you can manually get a token for the router hdfs fetchdt --renewer hdfs hdfs://router_host:8888 router.token   # Check the contents of your current credentials cache klist -f   If fetchdt fails, the issue is with the Router's ability to issue tokens. If it succeeds but Hive fails, the issue is with Hive's Job Submission not including the Router URI in the mapreduce.job.hdfs-servers list.   ... View more

@RAGHUY Thank you! I figured that later but Router starting to fail with below error.I have the jaas.conf in place. Any help on this is appreciated. ERROR client.ZooKeeperSaslClient - SASL authentication failed using login context 'ZKDelegationTokenSecretManagerClient' with exception: {} javax.security.sasl.SaslException: Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null. at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:312) at org.apache.zookeeper.client.ZooKeeperSaslClient.respondToServer(ZooKeeperSaslClient.java:275) at org.apache.zookeeper.ClientCnxn$SendThread.readResponse(ClientCnxn.java:882) at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:101) at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:363) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1223) 2025-08-19 20:45:37,097 ERROR curator.ConnectionState - Authentication failed 2025-08-19 20:45:37,098 INFO  zookeeper.ClientCnxn - Unable to read additional data from server sessionid 0x1088d05c6550015, likely server has closed socket, closing socket connection and attempting reconnect 2025-08-19 20:45:37,098 INFO  zookeeper.ClientCnxn - EventThread shut down for session: 0x1088d05c6550015 2025-08-19 20:45:37,212 ERROR imps.CuratorFrameworkImpl - Ensure path threw exception org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for /hdfs-router-tokens ... View more

@upadhyayk04 Thank you! I tried with Kerberos enabled on Ranger and Kafka but still policies are downloading fine but not becoming active. I could see below error in Kafka log. DEBUG Failed to get groups for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation) java.io.IOException: No groups found for user ANONYMOUS at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:200) ... View more

@Hadoop16 Can you share the stack trace of the error from knox gateway logs ... View more

Hello @Scharan  From the debug log I think the issue is when Knoxsso is redirecting to NN UI, it is sending user as anonymous.  AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous Do you know what configs at hdfs or Knox could help here? ... View more

Hello @Hadoop16  Can you try adding public group to the ranger knox policy and then run webhdfs curl command ... View more

@Hadoop16 Welcome to the Cloudera Community! As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post. Thanks. ... View more