RE: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

2017-05-22 Thread Dale Bradman 
This looks to be a Ranger UI issue because I have been able to update my KMS 
policy successfully using the API.

But I still am not sure if it is safe to allow the hdfs user the rights to 
“GENERATE_EEK” on my key?

Thanks.
Dale



From: Dale Bradman [mailto:da...@profusion.com]
Sent: 19 May 2017 15:35
To: user@ranger.apache.org; Sreeni 
Subject: RE: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

Hi Sreeni,

I have followed this guide previously before I upgraded the cluster from 2.4 to 
2.5 which worked successfully. I’d be keen to get some feedback/suggestions on 
why it no longer works after the upgrade rather than working through it again.

I cannot add any user to my Ranger KMS policy any more. It errors out and can’t 
find the necessary log file to see what is happening – it just says in the red 
box “Error: Error updating policy.”

Thanks.
Dale


From: Sreeni [mailto:ksraju...@yahoo.com]
Sent: 19 May 2017 13:50
To: user@ranger.apache.org
Subject: Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

Dale,

Following hortonworks community guide helped me.

How to correctly setup the HDFS encryption using Ranger KMS - 
Hortonworks


How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks




Sreeni

On Friday, May 19, 2017 5:49 AM, Dale Bradman 
> wrote:

Hello.

I've recently upgraded the cluster to HDP 2.5.3 as well as Ambari to 2.4.2.0 
however I'm now facing problems running Hive queries.

Each query that invokes Tez (i.e. `insert`) results in the following error:

Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: 
org.apache.hadoop.ipc.RemoteException(java.io.IOException): 
java.util.concurrent.ExecutionException: 
org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not 
allowed to do 'GENERATE_EEK' on 'hive'

Here are my commands:

$ kinit -kt /etc/security/keytabs/automation.keytab
$ beeline -u 
'jdbc:hive2://hiverserver2:1/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY'
 -f hive_script.hql

This is obviously something that was working before the upgrade.

Why is it running the script as the hdfs user? I have not added the `hdfs` user 
to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not advised (and 
also not permitted).

Are there any settings that need to be adjusted after the upgrade?

Thanks,
Dale

RE: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

2017-05-19 Thread Dale Bradman 
Hi Sreeni,

I have followed this guide previously before I upgraded the cluster from 2.4 to 
2.5 which worked successfully. I’d be keen to get some feedback/suggestions on 
why it no longer works after the upgrade rather than working through it again.

I cannot add any user to my Ranger KMS policy any more. It errors out and can’t 
find the necessary log file to see what is happening – it just says in the red 
box “Error: Error updating policy.”

Thanks.
Dale


From: Sreeni [mailto:ksraju...@yahoo.com]
Sent: 19 May 2017 13:50
To: user@ranger.apache.org
Subject: Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

Dale,

Following hortonworks community guide helped me.

How to correctly setup the HDFS encryption using Ranger KMS - 
Hortonworks



How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks




Sreeni

On Friday, May 19, 2017 5:49 AM, Dale Bradman 
> wrote:

Hello.

I've recently upgraded the cluster to HDP 2.5.3 as well as Ambari to 2.4.2.0 
however I'm now facing problems running Hive queries.

Each query that invokes Tez (i.e. `insert`) results in the following error:

Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: 
org.apache.hadoop.ipc.RemoteException(java.io.IOException): 
java.util.concurrent.ExecutionException: 
org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not 
allowed to do 'GENERATE_EEK' on 'hive'

Here are my commands:

$ kinit -kt /etc/security/keytabs/automation.keytab
$ beeline -u 
'jdbc:hive2://hiverserver2:1/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY'
 -f hive_script.hql

This is obviously something that was working before the upgrade.

Why is it running the script as the hdfs user? I have not added the `hdfs` user 
to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not advised (and 
also not permitted).

Are there any settings that need to be adjusted after the upgrade?

Thanks,
Dale

Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

2017-05-19 Thread Sreeni 
Dale,
Following hortonworks community guide helped me.
How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks

  
|  
|   |  
How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks
   |  |

  |

 
 Sreeni 

On Friday, May 19, 2017 5:49 AM, Dale Bradman  wrote:
 

  Hello.    I've recently upgraded the cluster 
to HDP 2.5.3 as well as Ambari to 2.4.2.0 however I'm now facing problems 
running Hive queries.    Each query that invokes Tez (i.e. `insert`) results in 
the following error:    Caused by: 
org.apache.hadoop.hive.ql.metadata.HiveException: 
org.apache.hadoop.ipc.RemoteException(java.io.IOException): 
java.util.concurrent.ExecutionException: 
org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not 
allowed to do 'GENERATE_EEK' on 'hive'    Here are my commands:    $ kinit -kt 
/etc/security/keytabs/automation.keytab $ beeline -u 
'jdbc:hive2://hiverserver2:1/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY'
 -f hive_script.hql    This is obviously something that was working before the 
upgrade.    Why is it running the script as the hdfs user? I have not added the 
`hdfs` user to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not 
advised (and also not permitted).    Are there any settings that need to be 
adjusted after the upgrade?    Thanks, Dale   

Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

2017-05-19 Thread Dale Bradman 
Hello.

I've recently upgraded the cluster to HDP 2.5.3 as well as Ambari to 2.4.2.0 
however I'm now facing problems running Hive queries.

Each query that invokes Tez (i.e. `insert`) results in the following error:

Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: 
org.apache.hadoop.ipc.RemoteException(java.io.IOException): 
java.util.concurrent.ExecutionException: 
org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not 
allowed to do 'GENERATE_EEK' on 'hive'

Here are my commands:

$ kinit -kt /etc/security/keytabs/automation.keytab
$ beeline -u 
'jdbc:hive2://hiverserver2:1/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY'
 -f hive_script.hql

This is obviously something that was working before the upgrade.

Why is it running the script as the hdfs user? I have not added the `hdfs` user 
to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not advised (and 
also not permitted).

Are there any settings that need to be adjusted after the upgrade?

Thanks,
Dale