| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
| <concept rev="1.2" id="delegation"> |
| |
| <title>Configuring Impala Delegation for Hue and BI Tools</title> |
| |
| <prolog> |
| <metadata> |
| <data name="Category" value="Security"/> |
| <data name="Category" value="Impala"/> |
| <data name="Category" value="Authentication"/> |
| <data name="Category" value="Delegation"/> |
| <data name="Category" value="Hue"/> |
| <data name="Category" value="Administrators"/> |
| <data name="Category" value="Developers"/> |
| <data name="Category" value="Data Analysts"/> |
| </metadata> |
| </prolog> |
| |
| <conbody> |
| <p> |
| <!-- |
| When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry |
| authorization framework determines what actions they can take and what data they can see. |
| --> |
| When users submit Impala queries through a separate application, such as |
| Hue or a business intelligence tool, typically all requests are treated as |
| coming from the same user. In Impala 1.2 and higher,Impala supports |
| applications to pass along credentials for the users that connect to them, |
| known as <q>delegation</q>, and to issue Impala queries with the |
| privileges for those users. Currently, the delegation feature is available |
| only for Impala queries submitted through application interfaces such as |
| Hue and BI tools. For example, Impala cannot issue queries using the |
| privileges of the HDFS user. </p> |
| <note type="attention">Impala requires Apache Sentry on the cluster to |
| enable delegation. Without Apache Sentry installed, the delegation feature |
| will fail with the following error: User <i>user1</i> is not authorized to |
| delegate to <i>user2</i> User delegation is disabled.</note> |
| <p> The delegation feature is enabled by a startup option for |
| <cmdname>impalad</cmdname>: |
| <codeph>--authorized_proxy_user_config</codeph>. When you specify this |
| option, users whose names you specify (such as <codeph>hue</codeph>) can |
| delegate the execution of a query to another user. The query runs with the |
| privileges of the delegated user, not the original user such as |
| <codeph>hue</codeph>. The name of the delegated user is passed using the |
| HiveServer2 configuration property <codeph>impala.doas.user</codeph>. </p> |
| <p> You can specify a list of users that the application user can delegate |
| to, or <codeph>*</codeph> to allow a superuser to delegate to any other |
| user. For example: </p> |
| <codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock> |
| <note> Make sure to use single quotes or escape characters to ensure that |
| any <codeph>*</codeph> characters do not undergo wildcard expansion when |
| specified in command-line arguments. </note> |
| <p> See <xref href="impala_config_options.xml#config_options"/> for details |
| about adding or changing <cmdname>impalad</cmdname> startup options. See |
| <xref |
| keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive" |
| >this blog post</xref> for background information about the delegation |
| capability in HiveServer2. </p> |
| <p> To set up authentication for the delegated users: </p> |
| <ul> |
| <li> |
| <p> On the server side, configure either user/password authentication |
| through LDAP, or Kerberos authentication, for all the delegated users. |
| See <xref href="impala_ldap.xml#ldap"/> or <xref |
| href="impala_kerberos.xml#kerberos"/> for details. </p> |
| </li> |
| <li> |
| <p> On the client side, to learn how to enable delegation, consult the |
| documentation for the ODBC driver you are using. </p> |
| </li> |
| </ul> |
| </conbody> |
| |
| </concept> |