Added support for impersonation with CDAP Explore (Hive) operations, such as enabling exploring of a dataset or running queries against it.
First commit writes the calling user's credentials to a file to be shipped with the explore job. This is necessary, because hive doesn't always get the credentials from the current UGI.
Second commit wraps the explore handler's usage of ExploreService and ExploreTableManager in impersonation `doAs` blocks.
Also, some operations are not done while impersonating. See `ExploreMetadataHttpHandler`.
Example operation: Getting JDBCCatalogs, getting JDBCTypes, or JDBCInfo.
This approach works for MapReduce jobs launched in YARN, but fails to do impersonation for local MR jobs.
: Can you please link the design doc for this feature here ?
It's not specific to impersonation in explore, but the more generic design doc for impersonation changes in CDAP 3.5: https://wiki.cask.co/display/CE/Secure+Impersonation+-+Security+3.5.
Take a look at pull request more more details: https://github.com/caskdata/cdap/pull/7011