Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9A9A1200C5C for ; Thu, 20 Apr 2017 22:05:00 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 99232160B9F; Thu, 20 Apr 2017 20:05:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9427F160B90 for ; Thu, 20 Apr 2017 22:04:59 +0200 (CEST) Received: (qmail 85262 invoked by uid 500); 20 Apr 2017 20:04:58 -0000 Mailing-List: contact user-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hive.apache.org Delivered-To: mailing list user@hive.apache.org Received: (qmail 85252 invoked by uid 99); 20 Apr 2017 20:04:58 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Apr 2017 20:04:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id D0FAD181059 for ; Thu, 20 Apr 2017 20:04:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.397 X-Spam-Level: X-Spam-Status: No, score=-0.397 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 7an3ySTW5J7w for ; Thu, 20 Apr 2017 20:04:55 +0000 (UTC) Received: from mail-qk0-f176.google.com (mail-qk0-f176.google.com [209.85.220.176]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 8F1835FBB0 for ; Thu, 20 Apr 2017 20:04:55 +0000 (UTC) Received: by mail-qk0-f176.google.com with SMTP id h67so56454073qke.0 for ; Thu, 20 Apr 2017 13:04:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Wb0KaIBOEkzZHxYCy6nhk2rfuZCipXEltQEiHhQl+L4=; b=Nsnv/Y0MC9k8PCwKMCjnRevhEBHZBravpUUqYRScwrEvJNrAxBQbmOJDLzuHiXypwH gyXl+NeEEfdgeLBZzW/J86j1DwTFs4aSOqGhb2Kghle2IJ4QLP8MajNuYPa7hW4fUfHZ rR8biUiPiB9wePAW2Bx0NI16vgVlF9+3aAufjmLnBGmd7PagnsbdKAN0huZMJDDeSL79 uvWrlY7G/HYUbGZSqpo5ZgLpcY05loDMgfRIduNp7qDI1Le5WZ37rROR1syULgrw//E+ SxcJphkZUWWyDhMNQD9hJibkqmUP2C+Faw38A5ZB0s0eqqR1vjw7w2WG671jLa6kej2m t0vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Wb0KaIBOEkzZHxYCy6nhk2rfuZCipXEltQEiHhQl+L4=; b=UAuWSD722NotlexDe3RVD70W3E9q2RMbD9vQ/Tbi35VLKsFCGhsFl6ErGme0XHxryL b5NEsDnXtuUb8U81wUgJEE/zUoPABx8s/rDp7q+iPUhUuc8uJ/dZeY4AzUGb95vIBsug m2O5Mk+C++SV5nuLLJ8NXVKvMD3ye141ug+ByBHDnupBOx6uaB5m2+y99JFrSt41PpsA riXElAMx0WH69FJcWuE6aTTr9uIBFqLm5F1TWyHxW/GJXS88UJCHbafENMcPRS+9yoGk vW/f9vrrMS+HuivvUFJF8maqgSXd/kgYMiBijDMODWtH9/vEnfdf48OHZSPuYuNGFYQA mRRw== X-Gm-Message-State: AN3rC/5G42dSEklidmRalBZmbeVwuzkG8kTRm5zqftMo3QI75ngt6/tr DXKEFx9RFj2IFn+AhKQrpy7ByL9C386U X-Received: by 10.55.99.69 with SMTP id x66mr9345357qkb.129.1492718694808; Thu, 20 Apr 2017 13:04:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.237.34.77 with HTTP; Thu, 20 Apr 2017 13:04:54 -0700 (PDT) From: Markovich Date: Thu, 20 Apr 2017 23:04:54 +0300 Message-ID: Subject: User is not allowed to impersonate To: user@hive.apache.org Content-Type: multipart/alternative; boundary=001a114814a08dc4ac054d9ea713 archived-at: Thu, 20 Apr 2017 20:05:00 -0000 --001a114814a08dc4ac054d9ea713 Content-Type: text/plain; charset=UTF-8 Hi Hive users, I've got a very strange problem and don't know where to go next, so writting here, may be someone could help me. I've got HDP 2.5 with Hive 1.2.1000.2.5.0.0-1245 and Hadoop 2.7.3.2.5.0.0-1245. I've got kerberos nad Ranger enabled. I've installed HUE 3.11 on it, I'm getting erros like this: *Failed to validate proxy privilege of hue for hdfs*, when logging into hue using user hdfs. I've already added* hadoop.proxyuser.hue.groups=** and *hadoop.proxyuser.hue.hosts=** in core-site.xml. Checked that this settings were applied: # hadoop org.apache.hadoop.conf.Configuration | grep hue hadoop.proxyuser.hue.groups*core-site.xml hadoop.proxyuser.hue.hosts*core-site.xml Also checked properties like:*hive.server2.enable.impersonation *and *hive.server2.enable.doAs.* I've logged into beeline and connected to Hive using hue ticket: #klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hue@DEMO.TEST Valid starting Expires Service principal 04/20/2017 19:40:50 04/21/2017 19:40:50 krbtgt/DEMO.TEST@DEMO.TEST renew until 04/27/2017 19:40:50 #/usr/hdp/current/hive-client/bin/beeline --verbose !connect jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST ;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hue 0: jdbc:hive2://drm2.demo.test:10001/defau> set hive.server2.enable.impersonation; Getting log thread is interrupted, since query is done! +-----------------------------------------+--+ | set | +-----------------------------------------+--+ | hive.server2.enable.impersonation=true | +-----------------------------------------+--+ 1 row selected (0.144 seconds) 0: jdbc:hive2://drm2.demo.test:10001/defau> set hive.server2.enable.doAs; Getting log thread is interrupted, since query is done! +--------------------------------+--+ | set | +--------------------------------+--+ | hive.server2.enable.doAs=true | +--------------------------------+--+ 1 row selected (0.069 seconds) When I'm trying to use hdfs as proxyuser through beeline, I've get: Connecting to jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST ;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hdfs Enter username for jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST ;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hdfs: Enter password for jdbc:hive2://drm2.demo.test:10001/default;principal=hive/drm2.demo.test@DEMO.TEST ;transportMode=http;httpPath=cliservice;hive.server2.proxy.user=hdfs: Error: Failed to validate proxy privilege of hue for hdfs (state=08S01,code=0) org.apache.hive.service.cli.HiveSQLException: Failed to validate proxy privilege of hue for hdfs ... Caused by: org.apache.hive.service.cli.HiveSQLException: Failed to validate proxy privilege of hue for hdfs ... Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User: hue is not allowed to impersonate hdfs I've looked in Hadoop sources and this error means problem with hadoop.proxyuser.hue.groups. So at some very strange reasone hadoop is unable to allow user Hue to impersonate hdfs or any other user. Where should I dig next? I'm a bit confused. Also yarn, hive, hdfs and hcat - all this users can impersonate any user, so impersonation is working. I've also checked if hadoop mapping to local is correct, and it seems to be correct: # hadoop org.apache.hadoop.security.HadoopKerberosName hue@DEMO.TEST Name: hue@DEMO.TEST to hue Any ideas or help is welcome. I've stuck with this problem for 2 days already. Regards, Markovich --001a114814a08dc4ac054d9ea713 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Hive users,

I've got a very stra= nge problem and don't know where to go next, so writting here, may be s= omeone could help me.

I've got HDP 2.5 with Hi= ve 1.2.1000.2.5.0.0-1245=C2=A0and Hadoop 2.7.3.2.5.0.0-1245. I've got k= erberos nad Ranger enabled.
I've installed HUE 3.11 on it, I&= #39;m getting erros like this:=C2=A0Failed to validate proxy privilege o= f hue for hdfs, when logging into hue using user hdfs.

I've already added hadoop.proxyuser.hue.groups=3D* and = hadoop.proxyuser.hue.hosts=3D* in core-site.xml. Checked that this s= ettings were applied:

# hadoop org.apache.had= oop.conf.Configuration | grep hue
<property><name>had= oop.proxyuser.hue.groups</name><value>*</value><source= >core-site.xml</source></property>
<property>= ;<name>hadoop.proxyuser.hue.hosts</name><value>*</valu= e><source>core-site.xml</source></property>

Also checked properties like:hive.server2.enable.im= personation and=C2=A0hive.server2.enable.doAs.
I'v= e logged into beeline and connected to Hive using hue ticket:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hue@DEMO.TEST

Valid starting = =C2=A0 =C2=A0 =C2=A0 Expires =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0Service principal
04/20/2017 19:40:50 =C2=A004/21/2017 19:40:5= 0 =C2=A0krbtgt/DEMO.TEST@DEMO.TEST
=C2=A0 =C2=A0 =C2=A0 =C2=A0 re= new until 04/27/2017 19:40:50

#/usr/hdp/curr= ent/hive-client/bin/beeline --verbose
!connect jdbc:hive2://drm2.= demo.test:10001/default;principal=3Dhive/drm2.demo.test@DEMO.TEST;transport= Mode=3Dhttp;httpPath=3Dcliservice;hive.server2.proxy.user=3Dhue

0: jdbc:hive2://drm2.demo.test:10001/defau> set h= ive.server2.enable.impersonation;
Getting log thread is interrupt= ed, since query is done!
+---------------------------------------= --+--+
| =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 set =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=
+-----------------------------------------+--+
| hive.= server2.enable.impersonation=3Dtrue =C2=A0|
+--------------------= ---------------------+--+
1 row selected (0.144 seconds)

0: jdbc:hive2://drm2.demo.test:10001/defau> = set hive.server2.enable.doAs;
Getting log thread is interrupted, = since query is done!
+--------------------------------+--+
<= div>| =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0set =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |
+------------------------------= --+--+
| hive.server2.enable.doAs=3Dtrue =C2=A0|
+-----= ---------------------------+--+
1 row selected (0.069 seconds)

When I'm trying to use hdfs as proxyuser t= hrough beeline, I've get:
Connecting to jdbc:hive2://drm= 2.demo.test:10001/default;principal=3Dhive/drm2.demo.test@DEMO.TEST;transpo= rtMode=3Dhttp;httpPath=3Dcliservice;hive.server2.proxy.user=3Dhdfs
Enter username for jdbc:hive2://drm2.demo.test:10001/default;principal=3D= hive/drm2.demo.test@DEMO.TEST;transportMode=3Dhttp;httpPath=3Dcliservice;hi= ve.server2.proxy.user=3Dhdfs:
Enter password for jdbc:hive2://drm= 2.demo.test:10001/default;principal=3Dhive/drm2.demo.test@DEMO.TEST;transpo= rtMode=3Dhttp;httpPath=3Dcliservice;hive.server2.proxy.user=3Dhdfs:
Error: Failed to validate proxy privilege of hue for hdfs (state=3D08S01= ,code=3D0)
org.apache.hive.service.cli.HiveSQLException: Failed t= o validate proxy privilege of hue for hdfs
...
Caused by: org.apache.hive.service.cli.HiveSQLException: Failed to valid= ate proxy privilege of hue for hdfs
...
Caus= ed by: org.apache.hadoop.security.authorize.AuthorizationException: User: h= ue is not allowed to impersonate hdfs

I'= ve looked in Hadoop sources and this error means problem with hadoop.proxyu= ser.hue.groups.=C2=A0
So at some very strange reasone hadoop is u= nable to allow user Hue to impersonate hdfs or any other user.
Where should I dig next? I'm a bit confused.
Also yarn, hive, hdfs and hcat - all this users can impersonate= any user, so impersonation is working.
I've also checked if = hadoop mapping to local is correct, and it seems to be correct:
<= div># hadoop org.apache.hadoop.security.HadoopKerberosName hue@DEMO.TEST
Name: hue@DEMO.TEST to hue

Any ideas= or help is welcome. I've stuck with this problem for 2 days already.

Regards,
Markovich










--001a114814a08dc4ac054d9ea713--