Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

What is the use of impersonation in Non-secured environment?

Solved Go to solution

What is the use of impersonation in Non-secured environment?

New Contributor

Please help in understanding how impersonation matters in non-secured i.e. Non-SSL and Non-Kerberos environment/Cluster.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: What is the use of impersonation in Non-secured environment?

@Ankita Shukla While SSL and Kerberos help address other aspects of security such as wire encryption and authentication, impersonation help in resolving a different problematic. Impersonation means performing actions on behalf of the requested user. Certain services such as Knox/Livy or Hive (when doAs=true) require to impersonate end users when performing access to resources like Yarn and HDFS. Only valid users are allowed to impersonate other users. Impersonation in hadoop is setup using hadoop.proxyuser.* configuration on core-site.xml - And only listed users in core-site.xml will be allowed to impersonate certain hosts and groups.

A common example for impersonation is Hive, when configured to run as end user instead of Hive user ( hive.server2.enable.doAs=true ) - Knox gateway and Livy are also other good examples. And there are other examples as well.

Important aspects when using impersonation are:

1) All access to underlying resources (like HDFS) will be made as end user instead of user hive. This helps when you like to perform all authorization checks on hdfs posix level.

2) Applications launched on yarn (if any) will be launched as end user instead of hive/knox/livy user. This way you can make use of capacity scheduler to map users to certain queues with different resource limitations.

73381-screen-shot-2018-05-07-at-15758-pm.png

If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

HTH

View solution in original post

1 REPLY 1
Highlighted

Re: What is the use of impersonation in Non-secured environment?

@Ankita Shukla While SSL and Kerberos help address other aspects of security such as wire encryption and authentication, impersonation help in resolving a different problematic. Impersonation means performing actions on behalf of the requested user. Certain services such as Knox/Livy or Hive (when doAs=true) require to impersonate end users when performing access to resources like Yarn and HDFS. Only valid users are allowed to impersonate other users. Impersonation in hadoop is setup using hadoop.proxyuser.* configuration on core-site.xml - And only listed users in core-site.xml will be allowed to impersonate certain hosts and groups.

A common example for impersonation is Hive, when configured to run as end user instead of Hive user ( hive.server2.enable.doAs=true ) - Knox gateway and Livy are also other good examples. And there are other examples as well.

Important aspects when using impersonation are:

1) All access to underlying resources (like HDFS) will be made as end user instead of user hive. This helps when you like to perform all authorization checks on hdfs posix level.

2) Applications launched on yarn (if any) will be launched as end user instead of hive/knox/livy user. This way you can make use of capacity scheduler to map users to certain queues with different resource limitations.

73381-screen-shot-2018-05-07-at-15758-pm.png

If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

HTH

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here