Unable to create Hive table from Spark

Hi,

I am trying to use the Spark to Hive module, but it always fails with the following error:
ERROR Spark to Hive 0:13 Execute failed: Failed to create hive table with name ‘tablename’. Reason: org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:Got exception: org.apache.hadoop.security.AccessControlException User spark-job-server(user id 994) has been denied access to create tablename).

It seems to have to do with spark-job-server’s privileges, so I tried to change the following properties in hive-site.xml:
hive.users.in.admin.role --> root, spark-job-server
hive.server2.enable.doAs --> true
I restarted Hive service after changing these properties, but it still fails with the same error.

Any ideas on what else I can do to solve this?

Regards,
Veronica

Hi @veee
my apologies for the late reply.

Yes, this appears to be a permissions problem in your Hive setup.

Could you provide more details on your setup? (Cloudera/Hortonworks?, real cluster or sandbox VM?, Kerberos security?).

If you are on a “real cluster”, I would not recommend to assign special permissions to spark-job-server user. Instead I recommend to set up jobserver so that it impersonates users. Then you can manage per-user permissions using grant/revoke SQL statements. How to do this is described in the jobserver installation guide:

The guide describes how to do that as part of the section “HOW TO INSTALL ON A KERBEROS-SECURED CLUSTER”. From that section you need to to steps 4-6. Steps 1-3 are not necessary, unless you have a Kerberos-secured cluster. Additionally you need to set up jobserver for authentication (shiro.ini). There is a shiro.ini template for very simple setups, or you can authenticate against LDAP (also described in the installation guide).

Best,
Björn

Hi,

Thanks for the response.
I’m using a MapR cluster with 4 nodes, un-secured.
We should have gone through those steps as well when installing the job server. I tried granting privileges to spark-job-server but was unable to do so since even the ‘root’ user cannot grant privileges.

Hi @veee
sorry for the late response.
did you check the core-site.xml and the environment.conf?
Could you look in the MapR-FS and check the permission settings of the warehouse directory of Hive (usually
/user/hive/warehouse)
In MapR this is usually set to only allow the mapr user to write into the directory. It could be necessary to change this. It might make sense to grant the mapr-group write privileges and add the users that should create Hive tables to to the mapr group.
See http://doc.mapr.com/display/MapR/Hive+User+Impersonation for further info.

Hi, thanks for the response.
I granted the both group and user privileges to the folder already actually, but it still didn’t work. I also added another “spark-job-server” user as root in the Hive configuration file. Changing the group id for “spark-job-server” didn’t help either.
Am I granting privileges to the wrong user?

Hi @veee
well did you set up impersonation, as recommended by Björn? If so, the privileges must be granted for the user given in the HIVE Connector node. Did you follow the steps for impersonation given in the mapr documentation link I gave in the last reply?

Best,
Mareike