Error getting a JDBC connection to Hive via Knox

2.3k views Asked by At

I have a Hadoop cluster running Hortonworks Data Platform 2.4.2 which has been running well for more than a year. The cluster is Kerberised and external applications connect via Knox. Earlier today, the cluster stopped accepting JDBC connections via Knox to Hive.

The Knox logs show no errors, but the Hive Server2 log shows the following error:

"Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User: knox is not allowed to impersonate org.apache.hive.service.cli.HiveSQLException: Failed to validate proxy privilege of knox for "

Having looked at other users the suggestions mostly seem to be around the correct setting of configuration options for hadoop.proxyusers.users and hadoop.proxyusers.groups.

However, in my case I don't see how these settings could be the problem. The cluster has been running for over a year and we have a number of applications connecting to Hive via JDBC on a daily basis. The configuration of the server has not been changed and connections were previously succeeding on the current configuration. No changes had been made to the platform or environment and the cluster was not restarted or taken down for maintenance between the last successful JDBC connection and JDBC connections being declined.

I have now stopped and started the cluster, but after restart the cluster still does not accept JDBC connections.

Does anyone have any suggestions on how I should proceed?

2

There are 2 answers

1
Sandeep More On

Do you have Hive Impersonation turned on?

hive.server2.enable.doAs=true

This could be the issue assuming hadoop.proxyusers.users and hadoop.proxyusers.groups are set properly.

Also, check whether the user 'knox' exist on Hive Server2 node (and others used for impersonation).

0
WattsInABox On

The known work around seems to be to set:

hadoop.proxyuser.knox.groups = *
hadoop.proxyuser.knox.hosts = *

I have yet to find a real fix that lets you keep this layer of added security.