Support Questions

RamG · ‎05-15-2018

Hi Guys,

I have set --authorized_proxy_user_config for required user and connecting impala using hive-jdbc url with impala.doas.user for proxy authentication but unable get expected results(getting kerberos principal user databases/results instead of proxy user databases/results). Getting same results with beeline and Java code using hive & impala drivers also.

Cluster enabled with Kerberos & Sentry & SSL & HDFS Encryption.

Please do let me know Impala does support Impersonation or not?

Thanks,

Ram G

EricL · ‎05-23-2018

No, Impala currently does not support Impersonation.

View solution in original post

EricL · ‎05-23-2018

No, Impala currently does not support Impersonation.

RamG · ‎05-23-2018

Thanks Eric for the confirmation.

Is there any timeline for support this?

Regards,

RamG

Romainr · ‎09-10-2018

It somehow does, Hue is using it, e.g. https://github.com/cloudera/hue/blob/master/apps/beeswax/src/beeswax/server/hive_server2_lib.py#L592

EricL · ‎09-10-2018

Hi Romain,

I think that's Hue specific setting, not Impala. The goal is to impersonate at Hue level, so instead of using "hue" to connect to Impala, it can impersonate as end user. But at impala side, query still run using "impala" user behind the scene.

There are discussions here about impersonation in Impala:
https://groups.google.com/a/cloudera.org/forum/#!topic/impala-user/2VBYXNS4ixw

Specifically:

>>> We do not plan to implement HDFS impersonation and recommend against using it for Hive as well given it's less secure and is incompatible with a fine-grained authorization.

RamG · ‎09-11-2018

Thank you Eric!

PyMeH · ‎11-25-2020

@RamG

@EricL

https://docs.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html

according to the link above Impala supports impersonation, however the client should to be using HiveServer2, not JDBC

Tim Armstrong · ‎11-30-2020

@PyMeH that's not right. The Impala JDBC driver does use the HS2 protocol - JDBC is the java language interface and HS2 is the client-server network protocol.

You should be able to use impersonation with JDBC. You'd need to configure Impala to allow a particular user to delegate - https://docs.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html

Then there is a DelegationUID option for the driver that I believe specifies the user to delegate to - https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for...

PyMeH · ‎11-30-2020

@Tim Armstrong any hints how to configure the JDBC connection to use impersonation?

Assuming I use the recommended Cloudera drivers, can you send a code snippet that invokes a simple SQL query on behalf of some user

Thanks!

Cloudera Community

Support Questions

Does Impala support Impersonation?