Dear experts,
I am running HDP 2.4 on EC2 cloud. Recently i have installed Ranger and integrated Hive. When i am trying to use the Ambari Hive view using the admin account, i am receiving the below two errors. Could you please help ? i am attaching few screenshots showing the configurations required.
admin OS account is working fine:
----------------------------------------------
[ec2-user@XXXXXXXXX ~]$ id admin
uid=1012(admin) gid=1012(admin) groups=1012(admin),1001(hdpmasters)
[ec2-user@XXXXXXXX ~]$ hdfs dfs -ls /user
Found 9 items
drwxr-xr-x - admin hdfs 0 2017-08-11 04:35 /user/admin
[admin@XXXXXXXX ~]$ hdfs dfs -ls /user/admin
Found 2 items
drwxr-xr-x - admin hdfs 0 2017-08-11 05:33 /user/admin/.hiveJars
drwxr-xr-x - admin hdfs 0 2017-08-11 04:35 /user/admin/testing
[admin@XXXXXX ~]$ hive WARNING: Use "yarn jar" to launch YARN applications. Logging initialized using configuration in file:/etc/hive/2.4.3.0-227/0/hive-log4j.properties
hive> show databases;
OK
default
Time taken: 1.044 seconds, Fetched: 1 row(s)
Errors:
-----------------------------
Failed to execute statement: show databases like '*'
org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [USE] privilege on [null]
E090 HDFS020 Could not write file /user/admin/hive/jobs/hive-job-5-2017-08-11_05-43/query.hql [HdfsApiException]
org.apache.ambari.view.utils.hdfs.HdfsApiException: HDFS020 Could not write file /user/admin/hive/jobs/hive-job-5-2017-08-11_05-43/query.hql Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): Unauthorized connection for super-user: root from IP XXXXXXXXX
Will the below findings help,
If i add admin user instead of its group hdpmasters in the Ranger hive policy. Both of the errors are not being shown anymore in the Hive view. The problem is only if i use its group 'hdpmasters' in the policy. Please find below
[ec2-user@XXXXXXX ~]$ hdfs dfs -ls /user
Found 9 items drwxr-xr-x - admin
hdpmasters 0 2017-08-11 07:02 /user/admin
[ec2-user@XXXXXX ~]$
id admin uid=1012(admin) gid=1012(admin) groups=1012(admin),1001(hdpmasters)
Why it is only working if i give 'admin' directly but not the group ?
Adding to my question, I have added admin OS account into a group 'hdpmasters' and i used this group while configuring Hive Ranger policy. If i use 'admin' instead of group in the policy configuration, strangely i am not able to see the error "FAILED:HiveAccessControlExceptionPermission denied: user [admin] does not have [USE] privilege on [null]" anymore(I can view the default database in Ambari view). Can i know why this is happening ?
