Configuring Impala Delegation for Hue and BI Tools

When users submit Impala queries through a separate application, such as Hue or a business intelligence tool, typically all requests are treated as coming from the same user. In Impala 1.2 and higher, Impala supports "delegation" where users whose names you specify can delegate the execution of a query to another user. The query runs with the privileges of the delegated user, not the original authenticated user.

The name of the delegated user is passed using the HiveServer2 protocol configuration property impala.doas.user when the client connects to Impala.

Currently, the delegation feature is available only for Impala queries submitted through application interfaces such as Hue and BI tools. For example, Impala cannot issue queries using the privileges of the HDFS user.

The delegation feature is enabled by the startup option for impalad: --authorized_proxy_user_config.

The syntax for the option is:

--authorized_proxy_user_config=authenticated_user1=delegated_user1,delegated_user2,...;authenticated_user2=...
  • The list of authorized users are delimited with ;
  • The list of delegated users are delimited with , by default.
  • Use the --authorized_proxy_user_config_delimiter startup option to override the default user delimiter (the comma character) to another character.
  • Wildcard (*) is supported to delegated to any users, e.g. --authorized_proxy_user_config=hue=*. Make sure to use single quotes or escape characters to ensure that any * characters do not undergo wildcard expansion when specified in command-line arguments.

When you start Impala with the --authorized_proxy_user_config=authenticated_user=delegated_user option:

  • Authentication is based on the user on the left hand side (authenticated_user).
  • Authorization is based on the right hand side user(s) (delegated_user).
  • When opening a client connection, the client must provide a delegated username via the HiveServer2 protocol property,impala.doas.user or DelegationUID.
  • It is not necessary for authenticated_user to have the permission to access/edit files.
  • It is not necessary for the delegated users to have access to the service via Kerberos.
  • delegated_user must exist in the OS.
  • In Impala, user() returns authenticated_user and effective_user() returns the delegated user that the client specified.
The user delegation process works as follows:
  1. The Impalad daemon starts with the following option:
    • --authorized_proxy_user_config=authenticated_user=delegated_user
  2. A client connects to Impala via the HiveServer2 protocol with the impala.doas.user configuration property, e.g. connected user is authenticated_user with impala.doas.user=delegated_user.
  3. The client user authenticated_user sends a request to Impala as the delegated user delegated_user.
  4. Impala checks if delegated_user is in the list of authorized delegate users for the user authenticated_user.
  5. If the user is an authorized delegated user for authenticated_user, the request is executed as the delegate user delegated_user.

See Modifying Impala Startup Options for details about adding or changing impalad startup options.

See this blog post for background information about the delegation capability in HiveServer2.

To set up authentication for the delegated users:

Enabling Delegation in Cloudera Manager

To enable delegation in Cloudera Manager:
  1. Navigate to Clusters > Impala > Configuration > Policy File-Based Sentry.
  2. In the Proxy User Configuration field, type the a semicolon-separated list of key=value pairs of authorized proxy users to the user(s) they can impersonate. The list of delegated users are delimited with a comma, e.g. hue=user1, user2.
  3. Click Save Changes and then restart Impala service.