docs/topics/impala_delegation.xml - impala - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
 <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
 <concept rev="1.2" id="delegation">

   <title>Configuring Impala Delegation for Hue and BI Tools</title>

   <prolog>
     <metadata>
       <data name="Category" value="Security"/>
       <data name="Category" value="Impala"/>
       <data name="Category" value="Authentication"/>
       <data name="Category" value="Delegation"/>
       <data name="Category" value="Hue"/>
       <data name="Category" value="Administrators"/>
       <data name="Category" value="Developers"/>
       <data name="Category" value="Data Analysts"/>
     </metadata>
   </prolog>

   <conbody>

     <p>
 <!--
       When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry
       authorization framework determines what actions they can take and what data they can see.
 -->
       When users submit Impala queries through a separate application, such as Hue or a business intelligence tool,
       typically all requests are treated as coming from the same user. In Impala 1.2 and higher, authentication is
       extended by a new feature that allows applications to pass along credentials for the users that connect to
       them (known as <q>delegation</q>), and issue Impala queries with the privileges for those users. Currently,
       the delegation feature is available only for Impala queries submitted through application interfaces such as
       Hue and BI tools; for example, Impala cannot issue queries using the privileges of the HDFS user.
     </p>

     <p>
       The delegation feature is enabled by a startup option for <cmdname>impalad</cmdname>:
       <codeph>--authorized_proxy_user_config</codeph>. When you specify this option, users whose names you specify
       (such as <codeph>hue</codeph>) can delegate the execution of a query to another user. The query runs with the
       privileges of the delegated user, not the original user such as <codeph>hue</codeph>. The name of the
       delegated user is passed using the HiveServer2 configuration property <codeph>impala.doas.user</codeph>.
     </p>

     <p>
       You can specify a list of users that the application user can delegate to, or <codeph>*</codeph> to allow a
       superuser to delegate to any other user. For example:
     </p>

 <codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock>

     <note>
       Make sure to use single quotes or escape characters to ensure that any <codeph>*</codeph> characters do not
       undergo wildcard expansion when specified in command-line arguments.
     </note>

     <p>
       See <xref href="impala_config_options.xml#config_options"/> for details about adding or changing
       <cmdname>impalad</cmdname> startup options. See
       <xref keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive">this
       blog post</xref> for background information about the delegation capability in HiveServer2.
     </p>
     <p>
       To set up authentication for the delegated users:
     </p>

     <ul>
       <li>
         <p>
           On the server side, configure either user/password authentication through LDAP, or Kerberos
           authentication, for all the delegated users. See <xref href="impala_ldap.xml#ldap"/> or
           <xref href="impala_kerberos.xml#kerberos"/> for details.
         </p>
       </li>

       <li>
         <p>
           On the client side, to learn how to enable delegation, consult the documentation
           for the ODBC driver you are using.
         </p>
       </li>
     </ul>

   </conbody>

 </concept>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
	<concept rev="1.2" id="delegation">

	<title>Configuring Impala Delegation for Hue and BI Tools</title>

	<prolog>
	<metadata>
	<data name="Category" value="Security"/>
	<data name="Category" value="Impala"/>
	<data name="Category" value="Authentication"/>
	<data name="Category" value="Delegation"/>
	<data name="Category" value="Hue"/>
	<data name="Category" value="Administrators"/>
	<data name="Category" value="Developers"/>
	<data name="Category" value="Data Analysts"/>
	</metadata>
	</prolog>

	<conbody>

	<p>
	<!--
	When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry
	authorization framework determines what actions they can take and what data they can see.
	-->
	When users submit Impala queries through a separate application, such as Hue or a business intelligence tool,
	typically all requests are treated as coming from the same user. In Impala 1.2 and higher, authentication is
	extended by a new feature that allows applications to pass along credentials for the users that connect to
	them (known as <q>delegation</q>), and issue Impala queries with the privileges for those users. Currently,
	the delegation feature is available only for Impala queries submitted through application interfaces such as
	Hue and BI tools; for example, Impala cannot issue queries using the privileges of the HDFS user.
	</p>

	<p>
	The delegation feature is enabled by a startup option for <cmdname>impalad</cmdname>:
	<codeph>--authorized_proxy_user_config</codeph>. When you specify this option, users whose names you specify
	(such as <codeph>hue</codeph>) can delegate the execution of a query to another user. The query runs with the
	privileges of the delegated user, not the original user such as <codeph>hue</codeph>. The name of the
	delegated user is passed using the HiveServer2 configuration property <codeph>impala.doas.user</codeph>.
	</p>

	<p>
	You can specify a list of users that the application user can delegate to, or <codeph>*</codeph> to allow a
	superuser to delegate to any other user. For example:
	</p>

	<codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock>

	<note>
	Make sure to use single quotes or escape characters to ensure that any <codeph>*</codeph> characters do not
	undergo wildcard expansion when specified in command-line arguments.
	</note>

	<p>
	See <xref href="impala_config_options.xml#config_options"/> for details about adding or changing
	<cmdname>impalad</cmdname> startup options. See
	<xref keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive">this
	blog post</xref> for background information about the delegation capability in HiveServer2.
	</p>
	<p>
	To set up authentication for the delegated users:
	</p>

	<ul>
	<li>
	<p>
	On the server side, configure either user/password authentication through LDAP, or Kerberos
	authentication, for all the delegated users. See <xref href="impala_ldap.xml#ldap"/> or
	<xref href="impala_kerberos.xml#kerberos"/> for details.
	</p>
	</li>

	<li>
	<p>
	On the client side, to learn how to enable delegation, consult the documentation
	for the ODBC driver you are using.
	</p>
	</li>
	</ul>

	</conbody>

	</concept>