Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Does Impala support Impersonation?

avatar
Explorer

Hi Guys,

 

I have set --authorized_proxy_user_config for required user and connecting impala using hive-jdbc url with impala.doas.user for proxy authentication but unable get expected results(getting kerberos principal user databases/results instead of proxy user databases/results). Getting same results with beeline and Java code using hive & impala drivers also.

 

Cluster enabled with Kerberos & Sentry & SSL & HDFS Encryption.

 

Please do let me know Impala does support Impersonation or not?

 

Thanks,

Ram G

1 ACCEPTED SOLUTION

avatar
Super Guru
No, Impala currently does not support Impersonation.

View solution in original post

8 REPLIES 8

avatar
Super Guru
No, Impala currently does not support Impersonation.

avatar
Explorer

Thanks Eric for the confirmation.

 

Is there any timeline for support this?

 

Regards,

RamG

avatar
Super Guru

avatar
Super Guru
Hi Romain,

I think that's Hue specific setting, not Impala. The goal is to impersonate at Hue level, so instead of using "hue" to connect to Impala, it can impersonate as end user. But at impala side, query still run using "impala" user behind the scene.

There are discussions here about impersonation in Impala:
https://groups.google.com/a/cloudera.org/forum/#!topic/impala-user/2VBYXNS4ixw

Specifically:

>>> We do not plan to implement HDFS impersonation and recommend against using it for Hive as well given it's less secure and is incompatible with a fine-grained authorization.

avatar
Explorer

Thank you Eric!

avatar
Explorer

@RamG 

@EricL 

https://docs.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html

according to the link above Impala supports impersonation, however the client should to be using HiveServer2, not JDBC

avatar

@PyMeH that's not right. The Impala JDBC driver does use the HS2 protocol - JDBC is the java language interface and HS2 is the client-server network protocol.

 

You should be able to use impersonation with JDBC. You'd need to configure Impala to allow a particular user to delegate - https://docs.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html


Then there is a DelegationUID option for the driver that I believe specifies the user to delegate to - https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for...

avatar
Explorer

@Tim Armstrong any hints how to configure the JDBC connection to use impersonation?

Assuming I use the recommended Cloudera drivers, can you send a code snippet that invokes a simple SQL query on behalf of some user

Thanks!