Hi Sreeni, I have followed this guide previously before I upgraded the cluster from 2.4 to 2.5 which worked successfully. I’d be keen to get some feedback/suggestions on why it no longer works after the upgrade rather than working through it again.
I cannot add any user to my Ranger KMS policy any more. It errors out and can’t find the necessary log file to see what is happening – it just says in the red box “Error: Error updating policy.” Thanks. Dale From: Sreeni [mailto:[email protected]] Sent: 19 May 2017 13:50 To: [email protected] Subject: Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive' Dale, Following hortonworks community guide helped me. How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks<https://community.hortonworks.com/content/supportkb/49505/how-to-correctly-setup-the-hdfs-encryption-using-r.html> How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks Sreeni On Friday, May 19, 2017 5:49 AM, Dale Bradman <[email protected]<mailto:[email protected]>> wrote: Hello. I've recently upgraded the cluster to HDP 2.5.3 as well as Ambari to 2.4.2.0 however I'm now facing problems running Hive queries. Each query that invokes Tez (i.e. `insert`) results in the following error: Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: org.apache.hadoop.ipc.RemoteException(java.io.IOException): java.util.concurrent.ExecutionException: org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not allowed to do 'GENERATE_EEK' on 'hive' Here are my commands: $ kinit -kt /etc/security/keytabs/automation.keytab $ beeline -u 'jdbc:hive2://hiverserver2:10000/default;principal=hive/[email protected]' -f hive_script.hql This is obviously something that was working before the upgrade. Why is it running the script as the hdfs user? I have not added the `hdfs` user to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not advised (and also not permitted). Are there any settings that need to be adjusted after the upgrade? Thanks, Dale
