Connecting to Hive with Cloudera Sentry Enabled

When making a connection, Workbench not only communicates with the HiveServer, but also connects directly to Hive Metastore. Direct access to Metastore is by default forbidden for public users when Sentry is enabled. Therefore you might see an error like below:

 

00000001 18:43:07.514: LEAVE: TSaslTransport.Open() 
00000001 18:43:07.514: Thrift: OpenSession() 
00000001 18:43:07.644: LEAVE: Db connection open. 
00000001 18:43:07.647: ERROR: 
Message: 
Cannot read, Remote side has closed 
Type : Thrift.Transport.TTransportException 
Source : Aginity.MPP.Thrift 
Trace : at Aginity.MPP.Thrift.Sasl.TSaslTransport.Read(Byte[] buf, Int32 off, Int32 len) 
at Thrift.Transport.TTransport.ReadAll(Byte[] buf, Int32 off, Int32 len) 
at Thrift.Protocol.TBinaryProtocol.ReadI32() 
at Thrift.Protocol.TBinaryProtocol.ReadMessageBegin() 
at thrift012.org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore.Client.recv_get_all_databases() 
at Aginity.MPP.Hive.Type1Helper_0_12.GetDatabases() 
at Aginity.MPP.Hive.HiveThriftSchemaHelper.GetDatabases(String nameMask, Boolean includeEntityCounts, Dictionary`2& dbSizes) 
at Aginity.MPP.Workbench.frmQueryAnalyzer.PopulateDatabases(Boolean refreshDatabases, Boolean connectToSystemDB, Boolean silent) 
00000001 18:43:08.773: Closing hs2 session...

 

Solution

Modify the configuration property hadoop.proxyuser.hive.groups in Cloudera Manager:

Add there the group name of users who want to use Workbench, or ‘*’ to allow direct access to the Metastore to everyone. It is not security issue, it just provides only readonly metadata, and it is needed for all applications, which access Metastore directly (Spark for example).

Affects versions:

Workbench for Hadoop

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.

** Aginity, Inc.’s Provision of Scripts and Similar Materials at Help Desk Center. For the convenience of Aginity Amp™ clients, we provide code snippets, scripts and similar materials at this Help Desk Center. Such materials are reference materials provided for illustration purposes only. These are intended to serve as an example for self-service clients and are generally geared to respond to common questions asked by similar clients. Such materials constitute Aginity’s intellectual property. Aginity Amp clients and their authorized users are permitted to use these materials in connection with their software license and/or subscription of Aginity Amp. Nothing herein shall limit Aginity’s right to use, develop, enhance, modify or market any of these materials as part of its business. These materials are not formally supported by Aginity or its affiliates. Usage of these materials does not guarantee any specific results, uptime, performance or error-free operation. Aginity disclaims all warranties of any kind, whether express, implied, statutory or otherwise, including any implied warranty of merchantability or fitness for a particular purpose.

Powered by Zendesk