Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

Fri, 19 May 2017 05:54:31 -0700 

Dale,
Following hortonworks community guide helped me.
How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks

  
|  
|   |  
How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks
   |  |

  |

 
 Sreeni 

    On Friday, May 19, 2017 5:49 AM, Dale Bradman <da...@profusion.com> wrote:
 

  <!--#yiv4867688940 _filtered #yiv4867688940 {font-family:Helvetica;panose-1:2 
11 6 4 2 2 2 2 2 4;} _filtered #yiv4867688940 {font-family:"Cambria 
Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv4867688940 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv4867688940 
#yiv4867688940 p.yiv4867688940MsoNormal, #yiv4867688940 
li.yiv4867688940MsoNormal, #yiv4867688940 div.yiv4867688940MsoNormal 
{margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", 
sans-serif;}#yiv4867688940 a:link, #yiv4867688940 
span.yiv4867688940MsoHyperlink 
{color:#0563C1;text-decoration:underline;}#yiv4867688940 a:visited, 
#yiv4867688940 span.yiv4867688940MsoHyperlinkFollowed 
{color:#954F72;text-decoration:underline;}#yiv4867688940 
span.yiv4867688940EmailStyle17 {font-family:"Helvetica", 
sans-serif;color:windowtext;}#yiv4867688940 .yiv4867688940MsoChpDefault {} 
_filtered #yiv4867688940 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv4867688940 
div.yiv4867688940WordSection1 {}-->Hello.    I've recently upgraded the cluster 
to HDP 2.5.3 as well as Ambari to 2.4.2.0 however I'm now facing problems 
running Hive queries.    Each query that invokes Tez (i.e. `insert`) results in 
the following error:    Caused by: 
org.apache.hadoop.hive.ql.metadata.HiveException: 
org.apache.hadoop.ipc.RemoteException(java.io.IOException): 
java.util.concurrent.ExecutionException: 
org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not 
allowed to do 'GENERATE_EEK' on 'hive'    Here are my commands:    $ kinit -kt 
/etc/security/keytabs/automation.keytab $ beeline -u 
'jdbc:hive2://hiverserver2:10000/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY'
 -f hive_script.hql    This is obviously something that was working before the 
upgrade.    Why is it running the script as the hdfs user? I have not added the 
`hdfs` user to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not 
advised (and also not permitted).    Are there any settings that need to be 
adjusted after the upgrade?    Thanks, Dale   

Reply via email to