Configuring User Impersonation with Hive
Complete the following steps on a secure or insecure cluster to configure user impersonation with Hive:
Step 1: Modify drill-env.sh
Modify<DRILL_HOME>/conf/drill-env.sh
to include the required environment
variables on each Drill node.- Insecure Cluster
- On an insecure cluster, include the following environment variable:
export MAPR_IMPERSONATION_ENABLED=true
- Secure Cluster
- On a secure cluster, include the following environment variables:
export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.client=true" export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Dmapr_sec_enabled=true -Dhadoop.login=maprsasl_keytab -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dmapr.library.flatclass" export MAPR_TICKETFILE_LOCATION=/opt/mapr/conf/mapruserticket
Step 2: Modify drill-override.conf
For secure and inecure clusters, modify<DRILL_HOME>/conf/drill-override.conf
on each
Drill node to enable impersonation in Drill, and set the maximum
number of chained user hops that Drill allows.Add the following configuration
properties to the
drill.exec
block in
drill-override.conf
:drill.exec: {
cluster-id: "<drill_cluster_name>",
zk.connect: "<hostname>:5181,<hostname>:5181,<hostname>:5181"
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
Step 3: Modify the Hive Storage Plugin in Drill
Modify the Hive storage plugin configuration in the Drill Web UI based on the authorization and security scenario for the cluster. You can only access the Drill Web UI for a running Drillbit.Complete the following steps to modify the Hive storage plugin
configuration:
- Navigate to
http://<drillbit_hostname>:8047
, and select the Storage tab. - Click Update next to the hive option.
- In the configuration window, add the required properties based on the authorization
type and security scenario:
- Storage Based Authorization or No Authorization Enabled
- For a insecure cluster, add the following properties to the
configuration:
{ type:"hive", enabled: true, configProps : { "hive.metastore.uris" : "thrift://<metastore_hostname>:9083", "fs.default.name" : "maprfs:///", "hive.metastore.sasl.enabled" : "false", "hive.server2.enable.doAs" : "true", "hive.metastore.execute.setugi" : "true" } }
For a secure cluster, add the following properties to the configuration:{ "type": "hive", "enabled": true, "configProps": { "hive.metastore.uris": "thrift://<metastore_hostname>:9083", "fs.default.name": "maprfs:///", "hive.server2.enable.doAs": "true" } }
Add the following additional properties if the Hive metastore is configured with Kerberos in a secure cluster; include a comma after each line except for the last:"hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>" "hive.metastore.sasl.enabled": "true"
- SQL Standard Based Authorization
- For an insecure cluster, add the following properties to the
configuration:
{ type:"hive", enabled: true, configProps : { "hive.metastore.uris" : "thrift://<metastore_hostname>:9083", "fs.default.name" : "maprfs:///", "hive.security.authorization.enabled" : "true", "hive.security.authenticator.manager" : "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator", "hive.security.authorization.manager" : "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory", "hive.metastore.sasl.enabled" : "false", "hive.server2.enable.doAs" : "false", "hive.metastore.execute.setugi" : "false" } }
For a secure cluster, add the following properties to the configuration:{ "type": "hive", "enabled": true, "configProps": { "hive.metastore.uris": " thrift://<metastore_hostname>:9083", "fs.default.name": "maprfs:///", "hive.security.authorization.enabled": "true", "hive.security.authenticator.manager": "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator", "hive.security.authorization.manager": "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory", "hive.server2.enable.doAs": "false", "hive.metastore.execute.setugi": "true" } }
Add the following additional properties if the Hive metastore is configured with Kerberos in a secure cluster; include a comma after each line except for the last:"hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>" "hive.metastore.sasl.enabled": "true"
Step 4: Restart Warden
Run the following command on all nodes to restart the Warden service:service mapr-warden restart
If you have
clush
installed, you can run the following command to
restart Warden on all nodes at once:
clush -a "service mapr-warden restart"