Configuring User Impersonation with Hive

Step 1: Modify drill-env.sh

Modify <DRILL_HOME>/conf/drill-env.sh to include the required environment variables on each Drill node.

Insecure Cluster

On an insecure cluster, include the following environment variable:

export MAPR_IMPERSONATION_ENABLED=true

Secure Cluster

On a secure cluster, include the following environment variables:

export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.client=true"
export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Dmapr_sec_enabled=true -Dhadoop.login=maprsasl_keytab -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dmapr.library.flatclass"
export MAPR_TICKETFILE_LOCATION=/opt/mapr/conf/mapruserticket

Step 2: Modify drill-override.conf

For secure and inecure clusters, modify <DRILL_HOME>/conf/drill-override.conf on each Drill node to enable impersonation in Drill, and set the maximum number of chained user hops that Drill allows.

Add the following configuration properties to the drill.exec block in drill-override.conf:

drill.exec: {
 cluster-id: "<drill_cluster_name>",
 zk.connect: "<hostname>:5181,<hostname>:5181,<hostname>:5181"
 impersonation: {
       enabled: true,
       max_chained_user_hops: 3
 }
}

Step 3: Modify the Hive Storage Plugin in Drill

Modify the Hive storage plugin configuration in the Drill Web UI based on the authorization and security scenario for the cluster. You can only access the Drill Web UI for a running Drillbit.

Complete the following steps to modify the Hive storage plugin configuration:

Navigate to http://<drillbit_hostname>:8047, and select the Storage tab.
Click Update next to the hive option.

In the configuration window, add the required properties based on the authorization type and security scenario:

Storage Based Authorization or No Authorization Enabled

For a insecure cluster, add the following properties to the configuration:

{
 type:"hive",
 enabled: true,
 configProps : {
   "hive.metastore.uris" : "thrift://<metastore_hostname>:9083",
   "fs.default.name" : "maprfs:///",
   "hive.metastore.sasl.enabled" : "false",
   "hive.server2.enable.doAs" : "true",
   "hive.metastore.execute.setugi" : "true"
 }
}

For a secure cluster, add the following properties to the configuration:

{
"type": "hive",
"enabled": true,
"configProps": {
  "hive.metastore.uris": "thrift://<metastore_hostname>:9083",
  "fs.default.name": "maprfs:///",
  "hive.server2.enable.doAs": "true"
   }
}

Add the following additional properties if the Hive metastore is configured with Kerberos in a secure cluster; include a comma after each line except for the last:

"hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>"
"hive.metastore.sasl.enabled": "true"

SQL Standard Based Authorization

For an insecure cluster, add the following properties to the configuration:

{
 type:"hive",
 enabled: true,
 configProps : {
   "hive.metastore.uris" : "thrift://<metastore_hostname>:9083",
   "fs.default.name" : "maprfs:///",
   "hive.security.authorization.enabled" : "true",
   "hive.security.authenticator.manager" : "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator",
   "hive.security.authorization.manager" : "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory",
   "hive.metastore.sasl.enabled" : "false",
   "hive.server2.enable.doAs" : "false",
   "hive.metastore.execute.setugi" : "false"
 }
}

For a secure cluster, add the following properties to the configuration:

{
"type": "hive",
"enabled": true,
"configProps": {
  "hive.metastore.uris": " thrift://<metastore_hostname>:9083",
  "fs.default.name": "maprfs:///",
  "hive.security.authorization.enabled": "true",
  "hive.security.authenticator.manager": "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator",
  "hive.security.authorization.manager": "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory",
  "hive.server2.enable.doAs": "false",
  "hive.metastore.execute.setugi": "true"
 }
}

Add the following additional properties if the Hive metastore is configured with Kerberos in a secure cluster; include a comma after each line except for the last:

"hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>"
"hive.metastore.sasl.enabled": "true"

Step 4: Restart Warden

Run the following command on all nodes to restart the Warden service:

service mapr-warden restart

If you have clush installed, you can run the following command to restart Warden on all nodes at once:

clush -a "service mapr-warden restart"

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0