My Oracle Support Banner

Hive Impersonation on BDCS with BDM Notebooks and Spark Fails with Errors: "...WARN security.UserGroupInformation: PriviledgedActionException...Authentication Failed..." (Doc ID 2532441.1)

Last updated on FEBRUARY 06, 2020

Applies to:

Big Data Cloud Service - Version 1.0 and later
Information in this document applies to any platform.

Symptoms

NOTE: In the examples that follow, user details, company name, email, hostnames, etc. represent a fictitious sample (and are used to provide an illustrative example only). Any similarity to actual persons, or entities, living or dead, is purely coincidental and not intended in any manner.

Using BDCS 4.11.4 and hive impersonation as Big Data Manager (BDM) user (bigdatamgr) fails with errors like:

$ spark2-shell --proxy-user hive
19/02/11 16:39:19 WARN util.Utils: Service 'SparkUI' could not bind on port 4040. Attempting port 4041.
19/02/11 16:39:21 WARN security.UserGroupInformation: PriviledgedActionException as:bigdatamgr@MY_BDCSCLOUDSERVICE.<DOMAIN> (auth:KERBEROS) cause:org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://<FQ_HOSTNAME>:16000/kms/v1/?op=GETDELEGATIONTOKEN&doAs=hive&renewer=yarn%2F<FQ_HOSTNAME>%40MY_BDCSCLOUDSERVICE.<DOMAIN>&user.name=bigdatamgr, status: 403, message: Forbidden
19/02/11 16:39:21 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [https://<FQ_HOSTNAME>:16000/kms/v1/] threw an IOException [java.lang.reflect.UndeclaredThrowableException]!

This happens with BDM Notebooks and Spark2 shell when using impersonation.  The errors happen even though the Cloudera Manager HDFS Service configuration for "hadoop.proxyuser.bigdatamgr.users" is set to a value of " * ".  This setting is confirmed by logging in to Cloudera Manager (CM) -> click HDFS Service-> Configuration-> Service-Wide-Advanced-> Cluster-wide Advanced Configuration Snippet (Safety Valve) and using search terms "hadoop.proxyuser.bigdatamgr.users".

When accessing Spark from BigDataManager Notebook, or from the command line, as bigdatamgr user it works fine with impersonation turned OFF.

The problem is limited to spark and BDM when using impersonation with BDM user (bigdatamgr).

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.