Unable to impersonate the logged user through Presto

Presto
Highlighted
Visitor

Unable to impersonate the logged user through Presto

Hi, 

I'm trying to configure the lastest version of Presto 0.167-t.0.2 with the configuration below, and I am faced with a problem of impersonification.

  • The Hadoop cluster is a HDP Cluster v.2.3.4.7 
  • The Cluster is kerberised, and we are using Free IPA to manage all the users.
  • The user presto was created through Free IPA as usual with a specific keytab imported to the keytab folder with the good rights

Our goal here is to replace the Hive Cli / beeline and use Presto as a primary cli to have better performance on our queries, and access to the to the tables stored in HDFS.

 

Could you please tell me if you have encounterd this issue ? 

 

connector.name=hive-hadoop2
hive.metastore.uri=thrift://inbdfda01.fqdn:9083
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/inbdfda01.fqdn@BDFPOCHP
hive.metastore.client.principal=presto@BDFPOCHP
hive.metastore.client.keytab=/etc/security/keytabs/presto.headless.keytab
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.impersonation.enabled=true
hive.hdfs.presto.principal=presto@BDFPOCHP
hive.hdfs.presto.keytab=/etc/security/keytabs/presto.headless.keytab
hive.config.resources=/etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml

Error message : 

[root@inbdfda01]# /images/presto --catalog hive --schema z_app_ccbihadoop_hive_temp --user u_xyz1234_adm                                                 presto:z_app_ccbihadoop_hive_temp>
 
presto:z_app_ccbihadoop_hive_temp> select * from wh_visits limit 10;
Query 20170413_122724_00007_r3a9p failed: org.apache.hadoop.security.AccessControlException: Permission denied: user=presto, access=EXECUTE, inode="/apps/hive/warehouse/z_app_ccbihadoop_hive_temp.db/wh_visits":a_app_ccbihadoop:r_app_ccbihadoop_writer:drwxrwx---
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChecker.java:259)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:205)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:190)
        at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1771)
        at org.apache.hadoop.hdfs.server.namenode.FSDirStatAndListingOp.getFileInfo(FSDirStatAndListingOp.java:108)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getFileInfo(FSNamesystem.java:3866)
        at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getFileInfo(NameNodeRpcServer.java:1076)
        at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getFileInfo(ClientNamenodeProtocolServerSideTranslatorPB.java:843)
        at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
        at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:616)
        at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:969)
        at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2151)
        at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2147)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2145)

Why the user trying to listing HDFS is presto and not root here ? 

In addition, we have added the proxyuser through Ambari to allow the user to make the queries. 

hadoop.proxyuser.presto.hosts=*
hadoop.proxyuser.presto.groups=*

In advance, thank you. 

 

Best regards, 

Stephen

 

1 REPLY
Visitor

Re: Unable to impersonate the logged user through Presto

Hi Stefun,

 

Why the user trying to listing HDFS is presto and not root here ?
--The user trying to access HDFS will be the user specified in `hive.hdfs.presto.principal`. Hence if you want root user, update the principal accordingly.

Incase, you want to use the same principal(presto), another option could be to give presto neccessary permissions to /apps/hive/warehouse/z_app_ccbihadoop_hive_temp.db/wh_visits

 

--

Sanjay