You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Mikhail Antonov <ol...@gmail.com> on 2013/08/16 22:05:37 UTC
User impersonation when accessing kerberized Hive/Hadoop installation
from Beeline
I'm trying to access hiveserver2 with kerberos enabled (hive 10, cdh 4.2.1,
local metastore) from the beeline tool, but seeing some unexpected (to me)
behavior:
- when entering the command in Beeline like "!connect
jdbc:hive2://host:port/default;<hive principal>" I'm asked to enter
username and password, but whatever fake values I provide, I can still log
in
- once I'm logged in, I can execute 'show databases;' and successfully see
the list of all databases from the metastore; but when I try to create one,
I'm getting error from the Hadoop layer, saying the user "hive" can't write
to specific location in HDFS. 'hive' in my configuration is the user who
runs the hiveserver2 and also user who runs beeline program, but entered
username in Beeline !connect command is, say, 'user1', so in the Hadoop
logs I expect to see something like "user1-via-hive' proxying, but that's
not what happens. That behavior seems to not depend on the
hive.server2.enable.impersonation or hive.server2.enable.doAs config param
values.
Anyone has any thoughts?
Thanks,
Mikhail