docs/topics/impala_delegation.xml - impala - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
 <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
 <concept rev="1.2" id="delegation">

   <title>Configuring Impala Delegation for Hue and BI Tools</title>

   <prolog>
     <metadata>
       <data name="Category" value="Security"/>
       <data name="Category" value="Impala"/>
       <data name="Category" value="Authentication"/>
       <data name="Category" value="Delegation"/>
       <data name="Category" value="Hue"/>
       <data name="Category" value="Administrators"/>
       <data name="Category" value="Developers"/>
       <data name="Category" value="Data Analysts"/>
     </metadata>
   </prolog>

   <conbody>
     <p>
       <!--
       When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry
       authorization framework determines what actions they can take and what data they can see.
 -->
       When users submit Impala queries through a separate application, such as
       Hue or a business intelligence tool, typically all requests are treated as
       coming from the same user. In Impala 1.2 and higher,Impala supports
       applications to pass along credentials for the users that connect to them,
       known as <q>delegation</q>, and to issue Impala queries with the
       privileges for those users. Currently, the delegation feature is available
       only for Impala queries submitted through application interfaces such as
       Hue and BI tools. For example, Impala cannot issue queries using the
       privileges of the HDFS user. </p>
     <note type="attention">Impala requires Apache Sentry on the cluster to
       enable delegation. Without Apache Sentry installed, the delegation feature
       will fail with the following error: User <i>user1</i> is not authorized to
       delegate to <i>user2</i> User delegation is disabled.</note>
     <p> The delegation feature is enabled by a startup option for
         <cmdname>impalad</cmdname>:
         <codeph>--authorized_proxy_user_config</codeph>. When you specify this
       option, users whose names you specify (such as <codeph>hue</codeph>) can
       delegate the execution of a query to another user. The query runs with the
       privileges of the delegated user, not the original user such as
         <codeph>hue</codeph>. The name of the delegated user is passed using the
       HiveServer2 configuration property <codeph>impala.doas.user</codeph>. </p>
     <p> You can specify a list of users that the application user can delegate
       to, or <codeph>*</codeph> to allow a superuser to delegate to any other
       user. For example: </p>
     <codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock>
     <note> Make sure to use single quotes or escape characters to ensure that
       any <codeph>*</codeph> characters do not undergo wildcard expansion when
       specified in command-line arguments. </note>
     <p> See <xref href="impala_config_options.xml#config_options"/> for details
       about adding or changing <cmdname>impalad</cmdname> startup options. See
         <xref
         keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive"
         >this blog post</xref> for background information about the delegation
       capability in HiveServer2. </p>
     <p> To set up authentication for the delegated users: </p>
     <ul>
       <li>
         <p> On the server side, configure either user/password authentication
           through LDAP, or Kerberos authentication, for all the delegated users.
           See <xref href="impala_ldap.xml#ldap"/> or <xref
             href="impala_kerberos.xml#kerberos"/> for details. </p>
       </li>
       <li>
         <p> On the client side, to learn how to enable delegation, consult the
           documentation for the ODBC driver you are using. </p>
       </li>
     </ul>
   </conbody>

 </concept>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
	<concept rev="1.2" id="delegation">

	<title>Configuring Impala Delegation for Hue and BI Tools</title>

	<prolog>
	<metadata>
	<data name="Category" value="Security"/>
	<data name="Category" value="Impala"/>
	<data name="Category" value="Authentication"/>
	<data name="Category" value="Delegation"/>
	<data name="Category" value="Hue"/>
	<data name="Category" value="Administrators"/>
	<data name="Category" value="Developers"/>
	<data name="Category" value="Data Analysts"/>
	</metadata>
	</prolog>

	<conbody>
	<p>
	<!--
	When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry
	authorization framework determines what actions they can take and what data they can see.
	-->
	When users submit Impala queries through a separate application, such as
	Hue or a business intelligence tool, typically all requests are treated as
	coming from the same user. In Impala 1.2 and higher,Impala supports
	applications to pass along credentials for the users that connect to them,
	known as <q>delegation</q>, and to issue Impala queries with the
	privileges for those users. Currently, the delegation feature is available
	only for Impala queries submitted through application interfaces such as
	Hue and BI tools. For example, Impala cannot issue queries using the
	privileges of the HDFS user. </p>
	<note type="attention">Impala requires Apache Sentry on the cluster to
	enable delegation. Without Apache Sentry installed, the delegation feature
	will fail with the following error: User <i>user1</i> is not authorized to
	delegate to <i>user2</i> User delegation is disabled.</note>
	<p> The delegation feature is enabled by a startup option for
	<cmdname>impalad</cmdname>:
	<codeph>--authorized_proxy_user_config</codeph>. When you specify this
	option, users whose names you specify (such as <codeph>hue</codeph>) can
	delegate the execution of a query to another user. The query runs with the
	privileges of the delegated user, not the original user such as
	<codeph>hue</codeph>. The name of the delegated user is passed using the
	HiveServer2 configuration property <codeph>impala.doas.user</codeph>. </p>
	<p> You can specify a list of users that the application user can delegate
	to, or <codeph>*</codeph> to allow a superuser to delegate to any other
	user. For example: </p>
	<codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock>
	<note> Make sure to use single quotes or escape characters to ensure that
	any <codeph>*</codeph> characters do not undergo wildcard expansion when
	specified in command-line arguments. </note>
	<p> See <xref href="impala_config_options.xml#config_options"/> for details
	about adding or changing <cmdname>impalad</cmdname> startup options. See
	<xref
	keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive"
	>this blog post</xref> for background information about the delegation
	capability in HiveServer2. </p>
	<p> To set up authentication for the delegated users: </p>
	<ul>
	<li>
	<p> On the server side, configure either user/password authentication
	through LDAP, or Kerberos authentication, for all the delegated users.
	See <xref href="impala_ldap.xml#ldap"/> or <xref
	href="impala_kerberos.xml#kerberos"/> for details. </p>
	</li>
	<li>
	<p> On the client side, to learn how to enable delegation, consult the
	documentation for the ODBC driver you are using. </p>
	</li>
	</ul>
	</conbody>

	</concept>