Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Owner principal of an entity is provided either when an entity is created using the CDAP CLI or the Microservices or when an application creates them.

Hive Configuration

In order for Hive to work with impersonation, one of the following approaches can be used:

  • Hive Proxy Users; or

  • Hive SQL-based Authorization

Hive Proxy Users

To configure Hive to be able to impersonate other users, set in hive-site.xml the property:

Code Block
<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value>
</property>

Note that the CDAP Explore service ignores this setting and needs to be able to impersonate users who can create and access entities in CDAP. This can be done by adding properties in your core-site.xml. The first property allows Hive to impersonate users belonging to group1 and group2 and the second property allows Hive to impersonate on all hosts:

Code Block
<property>
    <name>hadoop.proxyuser.hive.groups</name>
    <value>group1,group2</value>
</property>

<property>
    <name>hadoop.proxyuser.hive.hosts</name>
    <value>*</value>
</property>

For more information, see Cloudera documentation.

Hive SQL-based Authorization

An alternative to the above is to use SQL-based authorization. Add these properties to your hive-site.xml:

Code Block
<property>
    <name>hive.server2.enable.doAs</name>
    <value>false</value>
</property>
<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>
<property>
    <name>hive.security.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.ProxyUserAuthenticator</value>
</property>

Note your hive-site.xml should also be configured to support modifying properties at runtime. Specifically, you will need this configuration in your hive-site.xml:

Code Block
<property>
    <name>hive.security.authorization.sqlstd.confwhitelist.append</name>
    <value>explore.*|mapreduce.job.queuename|mapreduce.job.complete.cancel.delegation.tokens|spark.hadoop.mapreduce.job.complete.cancel.delegation.tokens|mapreduce.job.credentials.binary|hive.exec.submit.local.task.via.child|hive.exec.submitviachild|hive.lock.*</value>
</property>

After adding these properties to your hive-site.xml file, restart Hive.

CDAP Authorization

Impersonation works with CDAP Authorization, and if it is enabled, it will be enforced. For details, see the sections on enabling on enabling authorization in CDAP and managing privileges.

...