hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markovich <amriv...@gmail.com>
Subject User is not allowed to impersonate
Date Thu, 20 Apr 2017 20:04:54 GMT
Hi Hive users,

I've got a very strange problem and don't know where to go next, so
writting here, may be someone could help me.

I've got HDP 2.5 with Hive 1.2.1000.2.5.0.0-1245 and Hadoop
2.7.3.2.5.0.0-1245. I've got kerberos nad Ranger enabled.
I've installed HUE 3.11 on it, I'm getting erros like this: *Failed to
validate proxy privilege of hue for hdfs*, when logging into hue using user
hdfs.

I've already added* hadoop.proxyuser.hue.groups=** and
*hadoop.proxyuser.hue.hosts=** in core-site.xml. Checked that this settings
were applied:

# hadoop org.apache.hadoop.conf.Configuration | grep hue
<property><name>hadoop.proxyuser.hue.groups</name><value>*</value><source>core-site.xml</source></property>
<property><name>hadoop.proxyuser.hue.hosts</name><value>*</value><source>core-site.xml</source></property>

Also checked properties like:*hive.server2.enable.impersonation *and
*hive.server2.enable.doAs.*
I've logged into beeline and connected to Hive using hue ticket:

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hue@DEMO.TEST

Valid starting       Expires              Service principal
04/20/2017 19:40:50  04/21/2017 19:40:50  krbtgt/DEMO.TEST@DEMO.TEST
        renew until 04/27/2017 19:40:50

#/usr/hdp/current/hive-client/bin/beeline --verbose
!connect
jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST
;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hue

0: jdbc:hive2://drm2.demo.test:10001/defau> set
hive.server2.enable.impersonation;
Getting log thread is interrupted, since query is done!
+-----------------------------------------+--+
|                   set                   |
+-----------------------------------------+--+
| hive.server2.enable.impersonation=true  |
+-----------------------------------------+--+
1 row selected (0.144 seconds)

0: jdbc:hive2://drm2.demo.test:10001/defau> set hive.server2.enable.doAs;
Getting log thread is interrupted, since query is done!
+--------------------------------+--+
|              set               |
+--------------------------------+--+
| hive.server2.enable.doAs=true  |
+--------------------------------+--+
1 row selected (0.069 seconds)

When I'm trying to use hdfs as proxyuser through beeline, I've get:
Connecting to
jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST
;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hdfs
Enter username for
jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST
;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hdfs:
Enter password for
jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST
;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hdfs:
Error: Failed to validate proxy privilege of hue for hdfs
(state=08S01,code=0)
org.apache.hive.service.cli.HiveSQLException: Failed to validate proxy
privilege of hue for hdfs
...
Caused by: org.apache.hive.service.cli.HiveSQLException: Failed to validate
proxy privilege of hue for hdfs
...
Caused by: org.apache.hadoop.security.authorize.AuthorizationException:
User: hue is not allowed to impersonate hdfs

I've looked in Hadoop sources and this error means problem with
hadoop.proxyuser.hue.groups.
So at some very strange reasone hadoop is unable to allow user Hue to
impersonate hdfs or any other user.

Where should I dig next? I'm a bit confused.

Also yarn, hive, hdfs and hcat - all this users can impersonate any user,
so impersonation is working.
I've also checked if hadoop mapping to local is correct, and it seems to be
correct:
# hadoop org.apache.hadoop.security.HadoopKerberosName hue@DEMO.TEST
Name: hue@DEMO.TEST to hue

Any ideas or help is welcome. I've stuck with this problem for 2 days
already.

Regards,
Markovich

Mime
View raw message