07-07-2018 09:52 AM - edited 07-07-2018 09:53 AM
I'm trying to wrap my head around how user impersonation/delegation works in CDH Hive. The documentation in https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hiveserver2_security.html#con... says that we turn onimpersonation by setting hive.server2.enable.impersonation to true. But I searched through the hive source code - there is no such property. I did see hive.server2.enable.doAs though/
So, my question is, what does hive.server2.enable.impersonation do? Any why should this property affect how Sentry works. Wouldnt it instead be affected by hive.server2.enable.doAs ? Is this a documentation bug, or am I missing something?
Hoping you can solve this mystery for me!
07-09-2018 02:10 AM
The document that you are referring is belongs to CDH 5.15.x, I can see 'hive.server2.enable.impersonation' configuration available up to 5.9.x but not sure about the further lower versions.
If you are using older CDH version and still want to configure this option, you can use
Hive -> Configuration -> "Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml" to set "hive.server2.enable.impersonation"
Hive -> configuration -> "Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml" to set
"hadoop.proxyuser.hive.hosts" and "hadoop.proxyuser.hive.groups"
We can use Sentry to manage the permission for hive, impala and solr based on DB level where as Hiveserver2 impersonation will work based on file level using the HDFS permissions specified in ACL.
07-09-2018 07:45 AM
Thanks @saranvisa but that didnt quite answer my question. (you told me how to configure impersonation, while I'm asking about the difference between the two properties and how come the docs mentions a property that doesnt exist in code)
As far as I can see hive.server2.enable.impersonation is not used in the code at all. See https://github.com/apache/hive/search?q=%22enable.impersonation%22&type=Code