Support Questions
Find answers, ask questions, and share your expertise

Does Impala support Impersonation?

Solved Go to solution

Does Impala support Impersonation?

Explorer

Hi Guys,

 

I have set --authorized_proxy_user_config for required user and connecting impala using hive-jdbc url with impala.doas.user for proxy authentication but unable get expected results(getting kerberos principal user databases/results instead of proxy user databases/results). Getting same results with beeline and Java code using hive & impala drivers also.

 

Cluster enabled with Kerberos & Sentry & SSL & HDFS Encryption.

 

Please do let me know Impala does support Impersonation or not?

 

Thanks,

Ram G

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Does Impala support Impersonation?

Guru
No, Impala currently does not support Impersonation.

View solution in original post

8 REPLIES 8

Re: Does Impala support Impersonation?

Guru
No, Impala currently does not support Impersonation.

View solution in original post

Re: Does Impala support Impersonation?

Explorer

Thanks Eric for the confirmation.

 

Is there any timeline for support this?

 

Regards,

RamG

Re: Does Impala support Impersonation?

Re: Does Impala support Impersonation?

Guru
Hi Romain,

I think that's Hue specific setting, not Impala. The goal is to impersonate at Hue level, so instead of using "hue" to connect to Impala, it can impersonate as end user. But at impala side, query still run using "impala" user behind the scene.

There are discussions here about impersonation in Impala:
https://groups.google.com/a/cloudera.org/forum/#!topic/impala-user/2VBYXNS4ixw

Specifically:

>>> We do not plan to implement HDFS impersonation and recommend against using it for Hive as well given it's less secure and is incompatible with a fine-grained authorization.

Re: Does Impala support Impersonation?

Explorer

Thank you Eric!

Re: Does Impala support Impersonation?

Explorer

@RamG 

@EricL 

https://docs.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html

according to the link above Impala supports impersonation, however the client should to be using HiveServer2, not JDBC

Re: Does Impala support Impersonation?

@PyMeH that's not right. The Impala JDBC driver does use the HS2 protocol - JDBC is the java language interface and HS2 is the client-server network protocol.

 

You should be able to use impersonation with JDBC. You'd need to configure Impala to allow a particular user to delegate - https://docs.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html


Then there is a DelegationUID option for the driver that I believe specifies the user to delegate to - https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for...

Re: Does Impala support Impersonation?

Explorer

@Tim Armstrong any hints how to configure the JDBC connection to use impersonation?

Assuming I use the recommended Cloudera drivers, can you send a code snippet that invokes a simple SQL query on behalf of some user

Thanks!