最近在生產中搭建HA機制的集群，碰到不少坑，會在接下來的時間里好好總結下，先說下遇到的一個大坑。我們的需求是：希望通過hive的thrift服務來實現跨語言訪問Hive數據倉庫。但是第一步，你得需要在節點中打通服務器端（啟動hiveserver2的節點）和客戶端（啟動beeline的節點）的鏈接。整體的結構如下圖所示：

但是整個的配置過程可謂是一波三折，先在數據1節點啟動hiveserver2，接著在數據3節點啟動beeline鏈接數據1。出現了以下錯誤：
坑：

Error: Could not open client transport with JDBC Uri: jdbc:hive2://ha1:10000/hive: Failed to open new session: java.lang.RuntimeException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: root is not allowed to impersonate root(state=08S01,code=0)

解決方法：參考網上的一般的解決方法

---

在hadoop的配置文件core-site.xml中添加如下屬性： <property><name>hadoop.proxyuser.root.hosts</name><value>*</value> </property> <property><name>hadoop.proxyuser.root.groups</name><value>*</value> </property>

報錯：User: root is not allowed to impersonate root(state=08S01,code=0)
就將上面配置hadoop.proxyuser.xxx.hosts和hadoop.proxyuser.xxx.groups中的xxx設置為root(即你的錯誤日志中顯示的User：xxx為什么就設置為什么)。“*”表示可通過超級代理“xxx”操作hadoop的用戶、用戶組和主機。重啟hdfs。
這樣改的原因：
主要原因是hadoop引入了一個安全偽裝機制，使得hadoop 不允許上層系統直接將實際用戶傳遞到hadoop層，而是將實際用戶傳遞給一個超級代理，由此代理在hadoop上執行操作，避免任意客戶端隨意操作hadoop，如下圖：

圖上的超級代理是“Oozie”，你自己的超級代理是上面設置的“xxx”。
而hadoop內部還是延用linux對應的用戶和權限。即你用哪個linux用戶啟動hadoop，對應的用戶也就成為hadoop的內部用戶，如下圖我的linux用戶為root，對應的hadoop中用戶也就是root：

如果是這么簡單就好了，改完之后錯誤依舊，只不過是在自己虛擬機搭建的HA集群中可以正常連接，但是生產中的集群依舊不能正常鏈接，糾結了大半天，參考了網上的各種解決方案如刷新HDFS的用戶的配置權限：

bin/hdfs dfsadmin –refreshSuperUserGroupsConfiguration bin/yarn rmadmin –refreshSuperUserGroupsConfiguration

但是都沒有效果，后來仔細對比了虛擬機正常連接的集群對應的日志和生產啟動失敗的集群的日志發現了一些“蛛絲馬跡”：
虛擬機的日志（正常啟動）：

2018-08-29T10:22:11,661 INFO [main] metastore.MetaStoreDirectSql: Using direct SQL, underlying DB is MYSQL 2018-08-29T10:22:11,665 INFO [main] metastore.ObjectStore: Initialized ObjectStore 2018-08-29T10:22:11,813 INFO [main] metastore.HiveMetaStore: Added admin role in metastore 2018-08-29T10:22:11,814 INFO [main] metastore.HiveMetaStore: Added public role in metastore 2018-08-29T10:22:11,834 INFO [main] metastore.HiveMetaStore: No user is added in admin role, since config is empty 2018-08-29T10:22:12,032 INFO [main] metastore.HiveMetaStore: 0: get_all_functions 2018-08-29T10:22:12,036 INFO [main] HiveMetaStore.audit: ugi=root ip=unknown-ip-addr cmd=get_all_functions 2018-08-29T10:22:13,841 INFO [main] session.SessionState: Created HDFS directory: /tmp/hive/root/ca0849bf-7b5f-44fb-af7e-ebcdfe04d13f 2018-08-29T10:22:13,895 INFO [main] session.SessionState: Created local directory: /tmp/root/ca0849bf-7b5f-44fb-af7e-ebcdfe04d13f 2018-08-29T10:22:13,908 INFO [main] session.SessionState: Created HDFS directory: /tmp/hive/root/ca0849bf-7b5f-44fb-af7e-ebcdfe04d13f/_tmp_space.db 2018-08-29T10:22:13,936 INFO [main] sqlstd.SQLStdHiveAccessController: Created SQLStdHiveAccessController for session context : HiveAuthzSessionContext [sessionString=ca0849bf-7b5f-44fb-af7e-ebcdfe04d13f, clientType=HIVESERVER2] 2018-08-29T10:22:13,938 WARN [main] session.SessionState: METASTORE_FILTER_HOOK will be ignored, since hive.security.authorization.manager is set to instance of HiveAuthorizerFactory. 2018-08-29T10:22:13,940 INFO [main] hive.metastore: Mestastore configuration hive.metastore.filter.hook changed from org.apache.hadoop.hive.metastore.DefaultMetaStoreFilterHookImpl to org.apache.hadoop.hive.ql.security.authorization.plugin.AuthorizationMetaStoreFilterHook 2018-08-29T10:22:13,996 INFO [main] metastore.HiveMetaStore: 0: Cleaning up thread local RawStore... 2018-08-29T10:22:13,996 INFO [main] HiveMetaStore.audit: ugi=root ip=unknown-ip-addr cmd=Cleaning up thread local RawStore... 2018-08-29T10:22:13,996 INFO [main] metastore.HiveMetaStore: 0: Done cleaning up thread local RawStore 2018-08-29T10:22:13,997 INFO [main] HiveMetaStore.audit: ugi=root ip=unknown-ip-addr cmd=Done cleaning up thread local RawStore 2018-08-29T10:22:14,606 INFO [main] service.CompositeService: Operation log root directory is created: /tmp/root/operation_logs 2018-08-29T10:22:14,618 INFO [main] service.CompositeService: HiveServer2: Background operation thread pool size: 100 2018-08-29T10:22:14,624 INFO [main] service.CompositeService: HiveServer2: Background operation thread wait queue size: 100 2018-08-29T10:22:14,624 INFO [main] service.CompositeService: HiveServer2: Background operation thread keepalive time: 10 seconds 2018-08-29T10:22:14,653 INFO [main] service.AbstractService: Service:OperationManager is inited. 2018-08-29T10:22:14,653 INFO [main] service.AbstractService: Service:SessionManager is inited. 2018-08-29T10:22:14,653 INFO [main] service.AbstractService: Service:CLIService is inited. 2018-08-29T10:22:14,653 INFO [main] service.AbstractService: Service:ThriftBinaryCLIService is inited. 2018-08-29T10:22:14,653 INFO [main] service.AbstractService: Service:HiveServer2 is inited. 2018-08-29T10:22:14,654 INFO [main] server.HiveServer2: Starting Web UI on port 10002 2018-08-29T10:22:14,903 INFO [main] service.AbstractService: Service:OperationManager is started. 2018-08-29T10:22:14,903 INFO [main] service.AbstractService: Service:SessionManager is started. 2018-08-29T10:22:14,915 INFO [main] service.AbstractService: Service:CLIService is started. 2018-08-29T10:22:14,916 INFO [main] service.AbstractService: Service:ThriftBinaryCLIService is started. 2018-08-29T10:22:14,916 INFO [main] service.AbstractService: Service:HiveServer2 is started. 2018-08-29T10:22:14,918 INFO [main] server.Server: jetty-7.6.0.v20120127 2018-08-29T10:22:15,054 INFO [main] webapp.WebInfConfiguration: Extract jar:file:/root/apps/hive-2.1.1/lib/hive-service-2.1.1.jar!/hive-webapps/hiveserver2/ to /tmp/jetty-0.0.0.0-10002-hiveserver2-_-any-/webapp 2018-08-29T10:22:15,090 INFO [Thread-11] thrift.ThriftCLIService: Starting ThriftBinaryCLIService on port 10000 with 5...500 worker threads 2018-08-29T10:22:15,413 INFO [main] handler.ContextHandler: started o.e.j.w.WebAppContext{/,file:/tmp/jetty-0.0.0.0-10002-hiveserver2-_-any-/webapp/},jar:file:/root/apps/hive-2.1.1/lib/hive-service-2.1.1.jar!/hive-webapps/hiveserver2 2018-08-29T10:22:15,583 INFO [main] handler.ContextHandler: started o.e.j.s.ServletContextHandler{/static,jar:file:/root/apps/hive-2.1.1/lib/hive-service-2.1.1.jar!/hive-webapps/static} 2018-08-29T10:22:15,594 INFO [main] handler.ContextHandler: started o.e.j.s.ServletContextHandler{/logs,file:/root/apps/hive-2.1.1/logs/} 2018-08-29T10:22:15,645 INFO [main] server.AbstractConnector: Started SelectChannelConnector@0.0.0.0:10002 2018-08-29T10:22:15,660 INFO [main] http.HttpServer: Started HttpServer[hiveserver2] on port 10002 2018-08-29T10:22:15,660 INFO [main] server.HiveServer2: Web UI has started on port 10002 2018-08-29T10:26:04,804 INFO [HiveServer2-Handler-Pool: Thread-39] thrift.ThriftCLIService: Client protocol version: HIVE_CLI_SERVICE_PROTOCOL_V9 2018-08-29T10:26:05,732 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Created HDFS directory: /tmp/hive/root/f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,735 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Created local directory: /tmp/root/f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,745 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Created HDFS directory: /tmp/hive/root/f575ff1d-8cfa-4d94-beb8-bd7365a5bada/_tmp_space.db 2018-08-29T10:26:05,748 INFO [HiveServer2-Handler-Pool: Thread-39] session.HiveSessionImpl: Operation log session directory is created: /tmp/root/operation_logs/f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,749 INFO [HiveServer2-Handler-Pool: Thread-39] service.CompositeService: Session opened, SessionHandle [f575ff1d-8cfa-4d94-beb8-bd7365a5bada], current sessions:1 2018-08-29T10:26:05,864 INFO [HiveServer2-Handler-Pool: Thread-39] conf.HiveConf: Using the default value passed in for log id: f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,864 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Updating thread name to f575ff1d-8cfa-4d94-beb8-bd7365a5bada HiveServer2-Handler-Pool: Thread-39 2018-08-29T10:26:05,865 INFO [f575ff1d-8cfa-4d94-beb8-bd7365a5bada HiveServer2-Handler-Pool: Thread-39] conf.HiveConf: Using the default value passed in for log id: f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,865 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Resetting thread name to HiveServer2-Handler-Pool: Thread-39 2018-08-29T10:26:05,883 INFO [HiveServer2-Handler-Pool: Thread-39] conf.HiveConf: Using the default value passed in for log id: f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,883 INFO [f575ff1d-8cfa-4d94-beb8-bd7365a5bada HiveServer2-Handler-Pool: Thread-39] conf.HiveConf: Using the default value passed in for log id: f575ff1d-8cfa-4d94-beb8-bd7365a5bada 2018-08-29T10:26:05,883 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Updating thread name to f575ff1d-8cfa-4d94-beb8-bd7365a5bada HiveServer2-Handler-Pool: Thread-39 2018-08-29T10:26:05,883 INFO [HiveServer2-Handler-Pool: Thread-39] session.SessionState: Resetting thread name to HiveServer2-Handler-Pool: Thread-39

啟動失敗的日志：

2018-08-29T09:40:46,117 INFO [main] metastore.MetaStoreDirectSql: Using direct SQL, underlying DB is MYSQL 2018-08-29T09:40:46,119 INFO [main] metastore.ObjectStore: Initialized ObjectStore 2018-08-29T09:40:46,215 INFO [main] metastore.HiveMetaStore: Added admin role in metastore 2018-08-29T09:40:46,217 INFO [main] metastore.HiveMetaStore: Added public role in metastore 2018-08-29T09:40:46,231 INFO [main] metastore.HiveMetaStore: No user is added in admin role, since config is empty 2018-08-29T09:40:46,368 INFO [main] metastore.HiveMetaStore: 0: get_all_functions 2018-08-29T09:40:46,371 INFO [main] HiveMetaStore.audit: ugi=root ip=unknown-ip-addr cmd=get_all_functions 2018-08-29T09:40:47,422 INFO [main] metastore.HiveMetaStore: 0: Cleaning up thread local RawStore... 2018-08-29T09:40:47,423 INFO [main] metastore.HiveMetaStore: 0: Done cleaning up thread local RawStore 2018-08-29T09:40:47,825 INFO [main] service.AbstractService: Service:CLIService is inited. 2018-08-29T09:40:47,826 INFO [main] server.HiveServer2: Starting Web UI on port 10002 2018-08-29T09:40:47,906 INFO [main] service.AbstractService: Service:OperationManager is started. 2018-08-29T09:40:47,906 INFO [main] service.AbstractService: Service:SessionManager is started. 2018-08-29T09:40:47,907 INFO [main] service.AbstractService: Service:CLIService is started. 2018-08-29T09:40:47,907 INFO [main] service.AbstractService: Service:ThriftBinaryCLIService is started. 2018-08-29T09:40:47,908 INFO [main] service.AbstractService: Service:HiveServer2 is started. 2018-08-29T09:40:47,910 INFO [main] server.Server: jetty-7.6.0.v20120127 2018-08-29T09:40:48,102 INFO [main] server.AbstractConnector: Started SelectChannelConnector@0.0.0.0:10002 2018-08-29T09:40:48,105 INFO [main] server.HiveServer2: Web UI has started on port 10002 2018-08-29T09:40:48,105 INFO [main] http.HttpServer: Started HttpServer[hiveserver2] on port 10002 2018-08-29T09:41:03,343 WARN [HiveServer2-Handler-Pool: Thread-43] service.CompositeService: Failed to open sessionat org.apache.hive.service.cli.session.HiveSessionProxy$1.run(HiveSessionProxy.java:63)at java.security.AccessController.doPrivileged(Native Method)at javax.security.auth.Subject.doAs(Subject.java:422)at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1656)at org.apache.hive.service.cli.session.SessionManager.createSession(SessionManager.java:327)at org.apache.hive.service.cli.session.SessionManager.openSession(SessionManager.java:279)at org.apache.hive.service.cli.CLIService.openSessionWithImpersonation(CLIService.java:189)at org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(ThriftCLIService.java:423)at org.apache.hive.service.cli.thrift.ThriftCLIService.OpenSession(ThriftCLIService.java:312)at org.apache.hive.service.rpc.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1377)at org.apache.hive.service.rpc.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1362)at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)at java.lang.Thread.run(Thread.java:748)at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:591)at org.apache.hadoop.ipc.Client.call(Client.java:1469)at org.apache.hadoop.ipc.Client.call(Client.java:1400)at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:232)at com.sun.proxy.$Proxy30.getFileInfo(Unknown Source)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:187)at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)at com.sun.proxy.$Proxy31.getFileInfo(Unknown Source)at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1977)at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:1118)at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1114)at org.apache.hadoop.fs.FileSystem.exists(FileSystem.java:1400)at org.apache.hadoop.hive.ql.session.SessionState.createRootHDFSDir(SessionState.java:689)at org.apache.hadoop.hive.ql.session.SessionState.createSessionDirs(SessionState.java:635)at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:563)... 28 more 2018-08-29T09:41:03,350 WARN [HiveServer2-Handler-Pool: Thread-43] thrift.ThriftCLIService: Error opening session:at org.apache.hive.service.cli.session.SessionManager.createSession(SessionManager.java:336)at org.apache.hive.service.cli.session.SessionManager.openSession(SessionManager.java:279)at org.apache.hive.service.cli.CLIService.openSessionWithImpersonation(CLIService.java:189)at org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(ThriftCLIService.java:423)at org.apache.hive.service.rpc.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1362)at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: java.lang.RuntimeException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: root is not allowed to impersonate rootat org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:89)at org.apache.hive.service.cli.session.HiveSessionProxy.access$000(HiveSessionProxy.java:36)at org.apache.hive.service.cli.session.HiveSessionProxy$1.run(HiveSessionProxy.java:63)at java.security.AccessController.doPrivileged(Native Method)at javax.security.auth.Subject.doAs(Subject.java:422)at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1656)at org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:59)at com.sun.proxy.$Proxy37.open(Unknown Source)at org.apache.hive.service.cli.session.SessionManager.createSession(SessionManager.java:327)... 13 more Caused by: java.lang.RuntimeException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: root is not allowed to impersonate rootat org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:591)at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:526)at org.apache.hive.service.cli.session.HiveSessionImpl.open(HiveSessionImpl.java:168)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)at org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:78)... 21 more Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: root is not allowed to impersonate rootat org.apache.hadoop.ipc.Client.call(Client.java:1469)at org.apache.hadoop.ipc.Client.call(Client.java:1400)at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:232)at com.sun.proxy.$Proxy30.getFileInfo(Unknown Source)at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:752)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

最后一對比，發現正常鏈接的日志中有對HDFS某目錄的操作，失敗的則沒有，如下圖所示：

所以推測是用戶權限的問題（只怪自己不懂內部運行機制，只能這樣猜了。。）
于是自己又更改了HDFS中對應的/tmp文件更改權限：

hadoop fs -chmod -r 777 /tmp

后來發現依舊不行。。。。
此刻博主被折磨的不行不行了。。。不過還得接著解決，不然公司的小姐姐就沒法接下來的工作，深刻對比了兩個集群的狀態后（虛擬機和生產集群），突然發現生產中啟動hiveserver2的節點的namenode狀態為standy(搭建的是HA機制的集群有兩個namenode，一個為active狀態，一個為standy，standy狀態的節點沒有對HDFS的操作權限。PS：即使read的權限也沒有，畢竟兩個namenode只有一個掌控對應的HDFS的權限)，而虛擬機中啟動hiveserver2的節點的狀態為Active。于是感覺希望又來了，果斷kill掉生產中對應的active狀態的namenode，這樣standy狀態的namenode也就轉化為active狀態也就有了操作HDFS的權限，操作過后，總算大功告成，連接生效。

總結：

其實整個過程只要把第一步的超級代理用戶配置好，然后在最后一步的啟動hiveserver2的NameNode（我們這里稱為ha1）的狀態改為active狀態應該就OK了，因為這樣你就能用ha1在hadoop環境下的root用戶去操作HDFS，即使這里再出現用戶權限不足的問題，那我們可以接著修改對應的文件的訪問權限。而當另一個namenode為active狀態，ha1為standy狀態時，我們就無法用ha1下的root用戶去訪問HDFS，所以也就造成啟動日志中，一直無法加載生成對應的HDFS文件。

其他一些不錯的參考：
https://blog.csdn.net/sunnyyoona/article/details/51648871
http://debugo.com/beeline-invalid-url/
https://blog.csdn.net/yunyexiangfeng/article/details/60867563

總結

以上是生活随笔為你收集整理的beeline连接hiveserver2报错：User: root is not allowed to impersonate root的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。