Hi @Jaguar ,   This issue seems to be related with Knox. Service Mismatch: The URL in the error (.../gateway/dt/knoxtoken/api/v1/token) suggests a conflict between the Hive Metastore and the Knox Token Service. This often happens after a cluster upgrade where a new token service is implemented, but the clients (in this case, the Metastore) are still configured for the old one. Solution: Check the Knox configuration in your cluster management tool (e.g., Cloudera Manager). Verify that the HiveServer2 and Hive Metastore services are using the correct Knox topology and that the token service settings are correctly configured to match the Knox server.   Let me know if this helps. ... View more

Hi @satvaddi , If you are running in a Ranger RAZ enabled environment you don't need all these settings: > --conf "spark.hadoop.hadoop.security.authentication=KERBEROS" \ > --conf "spark.hadoop.hadoop.security.authorization=true" \ > --conf "spark.hadoop.fs.s3a.delegation.token.binding=org.apache.knox.gateway.cloud.idbroker.s3a.IDBDelegationTokenBinding" \ > --conf "spark.hadoop.fs.s3a.idb.auth.token.enabled=true" \ > --conf "spark.hadoop.fs.s3a.aws.credentials.provider=org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider" \ > --conf "spark.hadoop.fs.s3a.security.credential.provider.path=jceks://hdfs/user/infa/knox_credentials.jceks" \ > --conf "spark.hadoop.fs.s3a.endpoint=s3.amazonaws.com" \ > --conf "spark.hadoop.fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem" \   To me it looks like you are bypassing Raz by setting this parameter: > --conf "spark.hadoop.fs.s3a.aws.credentials.provider=org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider" \   This, I would check whether the instance profile (IAM Role attached to the cluster) does not have too much privileges. Like access to data. This should be controlled in Ranger instead. ... View more

@sathishkr @willx Hi! Do you have some insights here? Thanks! ... View more