Enable User Impersonation
On non-secure clusters
Procedure
-
Set the following properties in the
/opt/mapr/hive/<version>/conf/hive-site.xml
file on the nodes where HiveServer2 is installed:<property> <name>hive.server2.enable.doAs</name> <value>true</value> <description>Set this property to enable impersonation in Hive Server 2</description> </property> <property> <name>hive.metastore.execute.setugi</name> <value>true</value> <description>Set this property to enable Hive Metastore service impersonation in non-secure mode. In non-secure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user and group permissions. Note that this property must be set on both the client and server sides. If the client sets it to true and the server sets it to false, the client setting will be ignored.</description> </property>
-
Set the following property
/opt/mapr/hive/<version>/conf/hive-site.xml
file on the nodes where Hive Metastore is installed:<property> <name>hive.metastore.execute.setugi</name> <value>true</value> <description>Set this property to enable Hive Metastore service impersonation in non-secure mode. In non-secure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user and group permissions. Note that this property must be set on both the client and server sides. If the client sets it to true and the server sets it to false, the client setting will be ignored.</description> </property>
On secure (MAPR-SASL and Kerberos) clusters
Procedure
-
Set the following properties in the
/opt/mapr/hive/<version>/conf/hive-site.xml
file on the nodes where HiveServer2 is installed:<property> <name>hive.server2.enable.doAs</name> <value>true</value> <description>Set this property to enable impersonation in Hive Server 2</description> </property> <property> <name>hive.metastore.execute.setugi</name> <value>false</value> <description>Set this property to enable Hive Metastore service impersonation in non-secure mode. In non-secure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user and group permissions. Note that this property must be set on both the client and server sides. If the client sets it to true and the server sets it to false, the client setting will be ignored.</description> </property>
-
Set the following property
/opt/mapr/hive/<version>/conf/hive-site.xml
file on the nodes where Hive Metastore is installed:<property> <name>hive.metastore.execute.setugi</name> <value>false</value> <description>Set this property to enable Hive Metastore service impersonation in non-secure mode. In non-secure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user and group permissions. Note that this property must be set on both the client and server sides. If the client sets it to true and the server sets it to false, the client setting will be ignored.</description> </property>
NOTEThehive.metastore.execute.setugi
property is set to false automatically after/opt/mapr/server/configure.sh -R
is running.
On both secure and non-secure clusters
Procedure
On nodes where the Resource Manager and the Node Manager are
installed, set the following properties in the
/opt/mapr/hadoop/hadoop-<version>/etc/hadoop/core-site.xml
file:
<property>
<name>hadoop.proxyuser.mapr.groups</name>
<value>*</value>
<description>Allow the superuser mapr to impersonate any member of any group</description>
</property>
<property>
<name>hadoop.proxyuser.mapr.hosts</name>
<value>*</value>
<description>The superuser can connect from any host to impersonate a user</description>
</property>
Results
WARNING
The impersonated user must have write permissions to
/user/hive/warehouse
and /user/mapr-user/tmp/hive
directories.