Support Questions

Impersonation is a key concept throughout the Hadoop ecosystem.

Impersonation grants a user (also known as a SuperUser or ProxyUser) right to access Hadoop user is granted on behalf of other users. It's similar to the idea of 'sudo' within Linux.

To enable it you set the 'proxyuser' setting based on the user the service is running as, the groups or users you want it to be able to act on behalf of, and the hosts it should be able to do that from.

For example, for Ambari Views with:

• Ambari running as the user 'root' (which is the default)
• Wanting to allow Ambari to act on behalf of users in the groups 'users', 'hive-users' (just an example as you may have similar groups in LDAP)
• Ambari hostname of 'ambarihost.domain.local'

You would set this in 'HDFS -> core-site' from Ambari:

hadoop.proxyuser.root.groups=users,hive-users
hadoop.proxyuser.root.hosts=ambarihost.domain.local

More detail is available in the documentation:

• Apache Hadoop: Proxy user - Superusers Acting On Behalf Of Other Users
• Apache Oozie: User ProxyUser Configuration
• Apache YARN: yarn-site
  • yarn.resourcemanager.webapp.proxyuser.USERNAME.groups
  • yarn.resourcemanager.webapp.proxyuser.USERNAME.hosts

@Matt Carter just a bump to confirm if one of these answers worked, or reply to them for clarification.

@Sean Roberts

Want to understand the impersonation configuration better. The problem is that it is not clear what is impersonating what. For example, when trying to access the Hive view as an admin user failed with "User: hive is not allowed to impersonate user admin". So, by extension, it would seem logical that we introduce another proxy variables hadoop.proxyuser.hive.groups & hosts, but what is the group that the hive user needs? Is that information available in the stack trace?

Is there a diagram of the view services that maps out the impersonation and user attributes in play?