Configuring Impala Delegation for Hue and BI Tools
When users submit Impala queries through a separate application, such as Hue or a business intelligence tool, typically all requests are treated as coming from the same user. In Impala 1.2 and higher,,Impala supports applications to pass along credentials for the users that connect to them, known as "delegation", and to issue Impala queries with the privileges for those users. Currently, the delegation feature is available only for Impala queries submitted through application interfaces such as Hue and BI tools; for example, Impala cannot issue queries using the privileges of the HDFS user.
The delegation feature is enabled by a startup option for impalad: --authorized_proxy_user_config. When you specify this option, users whose names you specify (such as hue) can delegate the execution of a query to another user. The query runs with the privileges of the delegated user, not the original user such as hue. The name of the delegated user is passed using the HiveServer2 configuration property impala.doas.user.
You can specify a list of users that the application user can delegate to, or * to allow a superuser to delegate to any other user. For example:
impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...
See Modifying Impala Startup Options for details about adding or changing impalad startup options. See this Cloudera blog post for background information about the delegation capability in HiveServer2.
To set up authentication for the delegated users:
On the server side, configure either user/password authentication through LDAP, or Kerberos authentication, for all the delegated users. See Enabling LDAP Authentication for Impala or Enabling Kerberos Authentication for Impala for details.
On the client side, follow the instructions in the "Using User Name and Password" section in the ODBC driver installation guide. Then search for "delegation" in that same installation guide to learn about the Delegation UID field and DelegationUID configuration keyword to enable the delegation feature for ODBC-based BI tools.
Enabling Delegation in Cloudera Manager
- Navigate to Clusters > Impala > Configuration > Policy File-Based Sentry.
- In the Proxy User Configuration field, type the a semicolon-separated list of key=value pairs of authorized proxy users to the user(s) they can impersonate. The list of delegated users are delimited with a comma, e.g. hue=user1, user2.
- Click Save Changes and then restart Impala service.