Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

hive.server2.enable.impersonation or hive.server2.enable.doAs ?

hive.server2.enable.impersonation or hive.server2.enable.doAs ?

New Contributor

Hi there,

 

I'm trying to wrap my head around how user impersonation/delegation works in CDH Hive. The documentation in https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hiveserver2_security.html#con... says that we turn onimpersonation by setting hive.server2.enable.impersonation to true. But I searched through the hive source code - there is no such property. I did see hive.server2.enable.doAs though/

 

So, my question is, what does hive.server2.enable.impersonation do? Any why should this property affect how Sentry works. Wouldnt it instead be affected by hive.server2.enable.doAs ? Is this a documentation bug, or am I missing something?

 

Hoping you can solve this mystery for me!

 

2 REPLIES 2

Re: hive.server2.enable.impersonation or hive.server2.enable.doAs ?

Champion

@dyin_here

 

The document that you are referring is belongs to CDH 5.15.x, I can see 'hive.server2.enable.impersonation' configuration available up to 5.9.x but not sure about the further lower versions.

 

If you are using older CDH version and still want to configure this option, you can use
Hive -> Configuration -> "Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml" to set "hive.server2.enable.impersonation"

 

and


Hive -> configuration -> "Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml" to set
"hadoop.proxyuser.hive.hosts" and "hadoop.proxyuser.hive.groups"

 

We can use Sentry to manage the permission for hive, impala and solr based on DB level where as Hiveserver2 impersonation will work based on file level using the HDFS permissions specified in ACL.

Highlighted

Re: hive.server2.enable.impersonation or hive.server2.enable.doAs ?

New Contributor

Thanks @saranvisa but that didnt quite answer my question. (you told me how to configure impersonation, while I'm asking about the difference between the two properties and how come the docs mentions a property that doesnt exist in code)

 

As far as I can see hive.server2.enable.impersonation is not used in the code at all. See https://github.com/apache/hive/search?q=%22enable.impersonation%22&type=Code