We're updating the issue view to help you get more done. 

Impersonate users when performing hive operations

Description

None

Release Notes

Added support for impersonation with CDAP Explore (Hive) operations, such as enabling exploring of a dataset or running queries against it.

Activity

Show:
Ali Anwar
August 12, 2016, 2:27 AM

WIP branch:
https://github.com/caskdata/cdap/compare/write-credentials-per-query

First commit writes the calling user's credentials to a file to be shipped with the explore job. This is necessary, because hive doesn't always get the credentials from the current UGI.

Second commit wraps the explore handler's usage of ExploreService and ExploreTableManager in impersonation `doAs` blocks.

Also, some operations are not done while impersonating. See `ExploreMetadataHttpHandler`.
Example operation: Getting JDBCCatalogs, getting JDBCTypes, or JDBCInfo.

This approach works for MapReduce jobs launched in YARN, but fails to do impersonation for local MR jobs.

Ali Anwar
October 27, 2016, 7:25 PM

By disallowing Hive from launching local MR jobs in child process, we avoid the lack of impersonation in the child process, at the cost of performance:
https://github.com/caskdata/cdap/pull/7011

Rohit Sinha
February 14, 2017, 2:07 AM

: Can you please link the design doc for this feature here ?

Ali Anwar
February 14, 2017, 2:43 AM

It's not specific to impersonation in explore, but the more generic design doc for impersonation changes in CDAP 3.5: https://wiki.cask.co/display/CE/Secure+Impersonation+-+Security+3.5.
Take a look at pull request more more details: https://github.com/caskdata/cdap/pull/7011

Fixed

Assignee

Ali Anwar

Reporter

Ali Anwar

Labels

None

Docs Impact

None

UX Impact

None

Epic Link

Components

Fix versions

Affects versions

Priority

Major
Configure