Yes. Impersonation is enabled.:
drill.exec: {
cluster-id: "hhe",
zk.connect: "zk1:2181,zk22181,zk3:2181"
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
On Mon, Jun 20, 2016 at 6:22 PM, Chun Chang <[email protected]> wrote:
> Did you enable impersonation? Check the drill-override.conf file to verify
> that impersonation is enabled.
>
> On Mon, Jun 20, 2016 at 5:17 AM, Joseph Swingle <[email protected]>
> wrote:
>
> > Yes secure cluster. Strange that I can browse hdfs, and can get the
> > metadata about hive database and tables.
> > But every sql query to pull data from hive tables results in that error.
> >
> >
> >
> >
> > > On Jun 17, 2016, at 6:24 PM, Chun Chang <[email protected]> wrote:
> > >
> > > Hi Joseph,
> > >
> > > Are you running DRILL on a secure cluster? I had success with the
> > following
> > > storage plugin configuration with MapR distribution, SQL standard
> > > authorization with Kerberos:
> > >
> > > hive storage plugin:
> > >
> > > {
> > >
> > > "type": "hive",
> > >
> > > "enabled": true,
> > >
> > > "configProps": {
> > >
> > > "hive.metastore.uris": "thrift://10.10.100.120:9083",
> > >
> > > "fs.default.name": "maprfs:///",
> > >
> > > "hive.server2.enable.doAs": "false",
> > >
> > > "hive.metastore.sasl.enabled": "true",
> > >
> > > "hive.metastore.kerberos.principal":
> > "hive/[email protected]"
> > >
> > > }
> > >
> > > }
> > >
> > >
> > > On Fri, Jun 17, 2016 at 1:28 PM, Joseph Swingle <[email protected]>
> > > wrote:
> > >
> > >> I have a Hive Storage plugin configured (bottom). I am using HDP 2.4
> > w/
> > >> Hive 1.2.1, Drill 1.6
> > >>
> > >> I can connect just fine with Drill Explorer. I can browse, and view
> > >> content on hdfs just fine with Drill Explorer. The .csv files etc,
> > display
> > >> fine.
> > >>
> > >> I can browse to see the list of schemas in Hive just fine with Drill
> > >> Explorer. But every SQL query (for example “select * from foo )
> > returns:
> > >> Caused by: java.io.IOException: Failed to get numRows from HiveTable
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider.getStats(HiveMetadataProvider.java:113)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> at
> > >>
> > org.apache.drill.exec.store.hive.HiveScan.getScanStats(HiveScan.java:224)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> ... 44 common frames omitted
> > >> Caused by: org.apache.drill.common.exceptions.DrillRuntimeException:
> > >> Failed to create input splits: Can't get Master Kerberos principal for
> > use
> > >> as renewer
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider.splitInputWithUGI(HiveMetadataProvider.java:264)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider.getTableInputSplits(HiveMetadataProvider.java:128)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider.getStats(HiveMetadataProvider.java:96)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> ... 45 common frames omitted
> > >> Caused by: java.io.IOException: Can't get Master Kerberos principal
> for
> > >> use as renewer
> > >> at
> > >>
> >
> org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:116)
> > >> ~[hadoop-mapreduce-client-core-2.7.1.jar:na]
> > >> at
> > >>
> >
> org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:100)
> > >> ~[hadoop-mapreduce-client-core-2.7.1.jar:na]
> > >> at
> > >>
> >
> org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodes(TokenCache.java:80)
> > >> ~[hadoop-mapreduce-client-core-2.7.1.jar:na]
> > >> at
> > >>
> >
> org.apache.hadoop.mapred.FileInputFormat.listStatus(FileInputFormat.java:206)
> > >> ~[hadoop-mapreduce-client-core-2.7.1.jar:na]
> > >> at
> > >>
> >
> org.apache.hadoop.mapred.FileInputFormat.getSplits(FileInputFormat.java:315)
> > >> ~[hadoop-mapreduce-client-core-2.7.1.jar:na]
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider$1.run(HiveMetadataProvider.java:253)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider$1.run(HiveMetadataProvider.java:241)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> at java.security.AccessController.doPrivileged(Native Method)
> > >> ~[na:1.8.0_45]
> > >> at javax.security.auth.Subject.doAs(Subject.java:422)
> > >> ~[na:1.8.0_45]
> > >> at
> > >>
> >
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
> > >> ~[hadoop-common-2.7.1.jar:na]
> > >> at
> > >>
> >
> org.apache.drill.exec.store.hive.HiveMetadataProvider.splitInputWithUGI(HiveMetadataProvider.java:241)
> > >> ~[drill-storage-hive-core-1.6.0.jar:1.6.0]
> > >> ... 47 common frames omitted
> > >>
> > >>
> > >>
> > >>
> > >> {
> > >> "type": "hive",
> > >> "enabled": true,
> > >> "configProps": {
> > >> "hive.metastore.uris":
> > >>
> >
> "thrift://<redacted>:9083,thrift://<redacted>:9083,thrift://<redacted>:9083",
> > >> "javax.jdo.option.ConnectionURL":
> > >>
> "jdbc:derby:;databaseName=../hive-drill-data/drill_hive_db;create=true",
> > >> "hive.metastore.warehouse.dir": "/apps/hive/warehouse",
> > >> "fs.default.name": "hdfs://<redacted>:8020",
> > >> "hive.metastore.sasl.enabled": "true",
> > >> "hive.security.authorization.enabled": "false",
> > >> "hive.server2.enable.doAs": "true",
> > >> "hive.metastore.kerberos.keytab.file":
> > >> "/etc/security/keytabs/hive.service.keytab",
> > >> "hive.metastore.kerberos.principal": "hive/<redacted>@ACT.LOCAL",
> > >> "hive.security.authorization.manager":
> > >>
> >
> "org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory"
> > >> }
> > >> }
> > >>
> > >> Any help even if to simply point in right direction is appreciated.
> >
> >
>
