Pivotal Knowledge Base

Follow

Query from Hive-CLI fails with "MetaException(message:Metastore Authorization api invocation for remote metastore is disabled in this configuration"

Environment

  • Ambari 1.7
  • PHD 3.0

Symptom

Query which is executed from Hive-CLI may fail in PHD 3.0 cluster which is deployed with default configuration via Ambari. The error message may look as follows.

hive> show current roles;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Failed to retrieve roles for hive: Metastore Authorization api invocation for remote metastore is disabled in this configuration.

Cause

HiveServer2 is deployed with PHD 3.0 by default. And authorization has been enhanced in the version of Hive shipped with PHD 3.0.  

Setting "MetaStoreAuthzAPIAuthorizerEmbedOnly" for property "hive.security.metastore.authorization.manager" is to disable some operation through Hive-CLI which could invoke API call to metastore.

<property>
 <name>hive.security.metastore.authorization.manager</name>
 <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>

Fix

It's not suggested to remove setting "MetaStoreAuthzAPIAuthorizerEmbedOnly" from "hive.security.metastore.authorization.manager" as it make it possible for user to set himself as admin and bypass SQL-based privileges from Hive-CLI.

Instead use beeline to connect to HiverServer2 and conduct operations.

beeline> !connect jdbc:hive2://hdm1.hadoop.local:10000 hive hive org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://hdm1.hadoop.local:10000
Connected to: Apache Hive (version 0.14.0.3.0.0.0-249)
Driver: Hive JDBC (version 0.14.0.3.0.0.0-249)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hdm1.hadoop.local:10000> show current roles;
+---------+--+
| role |
+---------+--+
| public |
| |
+---------+--+
2 rows selected (1.54 seconds)
 

Comments

Powered by Zendesk