Pivotal Knowledge Base


Query from Hive-CLI fails with "MetaException(message:Metastore Authorization api invocation for remote metastore is disabled in this configuration"


  • Ambari 1.7
  • PHD 3.0


Query which is executed from Hive-CLI may fail in PHD 3.0 cluster which is deployed with default configuration via Ambari. The error message may look as follows.

hive> show current roles;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Failed to retrieve roles for hive: Metastore Authorization api invocation for remote metastore is disabled in this configuration.


HiveServer2 is deployed with PHD 3.0 by default. And authorization has been enhanced in the version of Hive shipped with PHD 3.0.  

Setting "MetaStoreAuthzAPIAuthorizerEmbedOnly" for property "hive.security.metastore.authorization.manager" is to disable some operation through Hive-CLI which could invoke API call to metastore.



It's not suggested to remove setting "MetaStoreAuthzAPIAuthorizerEmbedOnly" from "hive.security.metastore.authorization.manager" as it make it possible for user to set himself as admin and bypass SQL-based privileges from Hive-CLI.

Instead use beeline to connect to HiverServer2 and conduct operations.

beeline> !connect jdbc:hive2://hdm1.hadoop.local:10000 hive hive org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://hdm1.hadoop.local:10000
Connected to: Apache Hive (version
Driver: Hive JDBC (version
0: jdbc:hive2://hdm1.hadoop.local:10000> show current roles;
| role |
| public |
| |
2 rows selected (1.54 seconds)


Powered by Zendesk