PXF queries fail with "gpadmin is not allowed to impersonate gpadmin"
search cancel

PXF queries fail with "gpadmin is not allowed to impersonate gpadmin"

book

Article ID: 296446

calendar_today

Updated On:

Products

VMware Tanzu Greenplum VMware Tanzu Data Suite VMware Tanzu Data Suite

Issue/Introduction

When accessing an external table pointing to a newly configured Hadoop cluster, the following error is returned: 
ERROR: remote component error (500) from '127.0.0.1:5888': type Exception report message javax.servlet.ServletException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: gpadmin is not allowed to impersonate gpadmin description The server encountered an internal error that prevented it from fulfilling this request. exception javax.servlet.ServletException: javax.servlet.ServletException: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: gpadmin is not allowed to impersonate gpadmin (libchurl.c:944) (seg0 slice1 172.16.1.1:6000 pid=228847) (cdbdisp.c:254)
DETAIL: External table ext_table


Resolution

This error is caused because user impersonation is enabled but Hadoop proxying hasn't been configured.

When PXF user personation is enabled (the default), you must configure the Hadoop core-site.xml configuration file to permit user impersonation for PXF. Follow these steps outlined in Configuring the Hadoop User, User Impersonation, and Proxying:

On your Hadoop cluster, open the core-site.xml configuration file using a text editor, or use Ambari to add or edit the Hadoop property values described in this procedure.
 

  1. Set the property hadoop.proxyuser.<name>.hosts to specify the list of PXF host names from which proxy requests are permitted. Substitute the PXF proxy user (generally gpadmin) for <name>, and provide multiple PXF host names in a comma-separated list.

    For example:

    <property>
    <name>hadoop.proxyuser.gpadmin.hosts</name>
    <value>pxfhost1,pxfhost2,pxfhost3</value>
</property>

     

  2. Set the property hadoop.proxyuser.<name>.groups to specify the list of HDFS groups that PXF can impersonate. You should limit this list to only those groups that require access to HDFS data from PXF.

    For example:

    <property>
    <name>hadoop.proxyuser.gpadmin.groups</name>
    <value>group1,group2</value>
</property>
     

  3. After changing core-site.xml, you must restart Hadoop for your changes to take effect.
     

  4. Copy the updated core-site.xml file to the PXF Hadoop configuration directory $PXF_CONF/servers/default on the master and on each Greenplum Database segment host.

Alternatively, you can disable user impersonation.

Powered by Wolken Software