Hi Christopher,
I am running hive metastore as user hive
(hive/ip-10-151-109-165.ec2.internal@EC2.INTERNAL) and then I configure
hadoop.proxyuser.hive.hosts and hadoop.proxyuser.hive.groups to '*'.
This works.
On Sep 3, 2013, at 6:39 PM, Subroto wrote:
I am also facing the same problem…. Any idea??
Cheers,
Subroto Sanyal
On Sep 3, 2013, at 3:04 PM, Christopher Penney wrote:
I'm new to hive and trying to set it up in a relatively secure manner for a
test environment. I want to use a remote metastore so MR jobs can access
the DB. I seem to have things almost working, but when a user with a
credential tries to create a database I get:
hive show databases;
OK
default
hive create database testdb;
FAILED: Error in metadata: MetaException(message:Got exception:
org.apache.hadoop.ipc.RemoteException User:
hdfs/hadoopserver.sub.dom@sub.dom.com is not allowed to impersonate
myuse...@sub.dom.com)
FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask
I have hive --service metastore running as hdfs with
hdfs/hadoopserver.sub.dom@sub.dom.com as the principal. I'm running
hive as myuserid on the same box. I don't know if it's related, but if I
try to run hive from another system I get a GSS Initiate error unless I use
the same principal (hdfs/hadoopserver.sub.dom@sub.dom.com) for
hive.metastore.kerberos.principal. Is that expected?
When I try googling this I see similar issues, but the message about not
being able to impersonate only shows the single part user name where for me
it's showing the realm. I tried playing with the auth_to_local property,
but it didn't help. Map Reduce and HDFS operations are working fine
otherwise.
In core-site.xml I have:
property
namehadoop.proxyuser.hdfs.hosts/name
value*/value
/property
property
namehadoop.proxyuser.hdfs.groups/name
value*/value
/property
In hive-site.xml I have:
property
namejavax.jdo.option.ConnectionURL/name
valuejdbc:mysql://localhost/metastore/value
descriptionthe URL of the MySQL database/description
/property
property
namejavax.jdo.option.ConnectionDriverName/name
valuecom.mysql.jdbc.Driver/value
/property
property
namejavax.jdo.option.ConnectionUserName/name
valuehive/value
/property
property
namejavax.jdo.option.ConnectionPassword/name
valuepassword/value
/property
property
namedatanucleus.autoCreateSchema/name
valuefalse/value
/property
property
namedatanucleus.fixedDatastore/name
valuetrue/value
/property
property
namehive.metastore.uris/name
valuethrift://hadoopserver.sub.dom.com:9083/value
/property
property
namehive.security.authorization.enabled/name
valuetrue/value
/property
property
namehive.metastore.sasl.enabled/name
valuetrue/value
/property
property
namehive.metastore.kerberos.keytab.file/name
value/etc/hadoop/hdfs.keytab/value
/property
property
namehive.metastore.kerberos.principal/name
valuehdfs/hadoopserver.sub.dom@sub.dom.com/value
/property
property
namehive.metastore.execute.setugi/name
valuetrue/value
/property
Any ideas?