About Release 8.0.0
This site contains documentation for HPE Data Fabric release 8.0.0, including installation, configuration, administration, and reference content, as well as content for the associated ecosystem components and drivers.
8.0.0 Installation
This section contains information about installing HPE Data Fabric software. It also contains information about how to migrate data and applications from an Apache Hadoop cluster to a HPE Ezmeral Data Fabric cluster.
8.0.0 Upgrade
This section describes how to upgrade HPE Data Fabric software.
8.0.0 Data Fabric
HPE Data Fabric is the industry-leading data platform for AI and analytics that solves enterprise business needs.
8.0.0 Administration
This section describes how to manage the nodes and services that make up a cluster.
8.0.0 Development
This section contains information related to application development for Ezmeral ecosystem components and HPE Data Fabric products, including the file system, Database (Key-Value and JSON), and Event Streams.
- Application Development Process
  Before you start developing applications on the HPE Data Fabric platform, consider how you will get the data into the platform, the storage format of the data, the type of processing or modeling that is required, and how the data will be accessed.
- File Store and Apps
  The following sections provide information about accessing the File Store with C and Java applications.
- HPE Data Fabric Database and Apps
  This section contains information about developing client applications for JSON and key-value tables.
- Apache Kafka Wire Protocol Service
  HPE Data Fabric Streams supports Apache Kafka Wire Protocol Service. Apache Kafka Wire Protocol Service is a TCP/IP service that emulates a Kafka cluster backed by HPE Data Fabric Streams. The service makes it possible for Apache Kafka clients written in any programming language to access topics in HPE Data Fabric Streams.
- Model Context Protocol (MCP)
- HPE Data Fabric Streams and Apps
  HPE Data Fabric Streams brings integrated publish and subscribe messaging to HPE Data Fabric.
- MapReduce and Apps
  This section contains information associated with developing YARN applications.
- Kubernetes Interfaces for Data Fabric
  This section describes how to leverage the capabilities of the Kubernetes Interfaces for Data Fabric.
- Ecosystem Components
  The following sections provide information about each open-source project that is supported by the HPE Data Fabric.
  - Ecosystem Packs
  - Apache Airflow
    This topic provides an overview of Apache Airflow on HPE Data Fabric.
  - AsyncHBase
  - Cascading
  - Apache Drill
    - Drill Tutorial
    - Drill-on-YARN
    - Configuring Drill
      Lists the Data Fabric specific configuration for Drill.
    - Working with Drill
    - Securing Drill
      An administrator can install Drill with the default security configuration or manually configure custom security for Drill.
      - Roles and Privileges
        Drill has USER and ADMIN roles. Each role can perform different functions in Drill.
      - Drill Default Security
        The default security configuration uses MapR-SASL (tickets) for authentication, authorization, and encryption to automatically secure the cluster and ecosystem components when you install them manually or using the Installer.
      - User Impersonation
        Impersonation allows a service to act on behalf of a client while performing the action requested by the client. By default, user impersonation is disabled in Drill. You can configure user impersonation in the /opt/mapr/drill/drill-<version>/drill-override.conf file.
        Impersonation and Views
        You can use views with impersonation to provide granular access to data and protect sensitive information.
        Chained Impersonation
        You can configure Drill to allow chained impersonation on views when you enable impersonation in the drill-override.conf file. Chained impersonation controls the number of identity transitions that Drill can make when a user queries a view. Each identity transition is equal to one hop.
        Configuring Impersonation and Chaining
        Impersonation allows a service to act on behalf of a client while performing the action requested by the client. Chaining is a system-wide setting that applies to all views. Currently, Drill does not provide an option to allow different chain lengths for different views.
        Example: Impersonation and Chaining
        This example demonstrates how to use impersonation and chaining to limit access to data. Impersonation allows a service to act on behalf of a client while performing the action requested by the client. Chaining controls the number of identity transitions that Drill can make when a user queries a view.
        User Impersonation with Hive
        Inbound Impersonation
        An administrator can define inbound impersonation policies to impersonate the end user.
        Configuring Inbound Impersonation
        Administrators can configure inbound impersonation in the drill-override.conf file.
      - Default Security (Tickets)
        Drill supports authentication and encryption through the Default (tickets) security mechanism. Authentication is the process of establishing confidence of authenticity. Encryption is the process of converting information or data from plain text into ciphertext to prevent unauthorized access. An administrator can manually configure Drill to use Default Security. When Default Security is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drillbits through Default Security.
      - Kerberos
        Drill supports Kerberos v5 network security authentication and encryption. Kerberos is a network authentication protocol built on symmetric-key cryptography. Kerberos eliminates the need to store passwords locally or send them over the network and reduces the risk of impersonation.
      - Plain Authentication
        An administrator can configure Drill to use the Linux pluggable authentication module (PAM) for Plain (username and password) authentication. PAM provides an authentication module that interfaces with any installed PAM authentication entity, such as the local operating system password file (/etc/passwd) or LDAP.
      - SSL/TLS for Encryption
        You can enable SSL for Drill in a secure cluster. SSL (Secure Sockets Layer), more recently called TLS, is a security mechanism that encrypts data passed between the Drill client and Drillbit (server). SSL also provides one-way authentication through which the Drill client verifies the identity of the Drillbit.
      - Security Between ZooKeeper and Drillbits
        When Drill is installed on clusters with the default security enabled, authentication is enabled between the Drillbits and ZooKeeper. The ZooKeeper znode information is secured automatically through authentication and znode ACLs. Communication between the Drillbits and Zookeeper is not encrypted.
      - Configuring Drill Web UI and Web API Security
        The Drill web client and web API communicate with web browsers or web tools, like curl, through the HTTP or HTTPS. Drill uses HTTP by default.
      - Configuring SSO with OpenID in Drill
        Describes the procedure to Configure SSO with OpenID in Drill.
      - SPNEGO for HTTP Authentication
        Drill 1.13 and later supports the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) to extend the Kerberos-based single sign-on authentication mechanism to HTTP. An administrator configures the web server (Drillbit) to use SPNEGO for authentication. Depending on the system, either the administrator or the user configures the client (web browser or web client tool) to use SPNEGO for authentication.
      - Using ACEs on Views to Limit Data Access
        Describes how to use access control expressions to limit data access for Views.
    - Data Fabric Drill Drivers
      HPE Data Fabric provides Drill ODBC and JDBC drivers that you can download and use to connect Drill to BI tools. The drivers are updated periodically to include support for new functionality in Drill.
    - Drill Configuration Files
      The Drill installation includes configuration files with start-up options that you can modify prior to starting Drill.
    - Mask Sensitive Data in Query Logs and Profiles
      Starting in Drill 1.20.2 (EEP 9.0.0 installed on Core 7.1.0), you can define a set of rules in a JSON file to mask sensitive data in Drill query logs and query profiles.
    - Monitoring Drill Metrics
    - Optimizing Queries with Indexes
      HPE Data Fabric Database provides a highly scalable key-value database platform on which you can run SQL queries using Drill. As a part of the 6.0 release, HPE Data Fabric Database natively supports indexes on secondary fields in JSON tables.
    - Drill Limitations
      Provides information about Drill limitations and solutions where applicable.
    - Vulnerability Reports
      Provides vulnerability information in relation to Drill.
  - Apache Flink
  - Hadoop
  - HBase
  - HBase Client and HPE Data Fabric Database Binary Tables
  - HCatalog
  - Hive
  - HttpFS
  - Hue
  - Livy
    Apache Livy is primarily used to provide integration between Hue and Spark.
  - HPE Data Fabric Streams Clients and Tools
    Describes the supported HPE Data Fabric Streams tools and clients.
  - NiFi
    This topic provides an overview of Apache NiFi on HPE Data Fabric.
  - OTel
    This topic provides an overview of OpenTelemetry on HPE Data Fabric.
  - Apache Polaris
  - Ranger
  - Apache Spark
  - YARN
  - Zeppelin
- Maven and the HPE Data Fabric
  This section discusses topics associated with Maven and the HPE Data Fabric.
- Developer's Reference
  This section contains in-depth information for the developer.
- API Documentation
  HPE Data Fabric supports public APIs for file system, HPE Data Fabric Database, and HPE Data Fabric Streams. These APIs are available for application-development purposes.
Other Docs
This section contains release-independent information, including: Installer documentation, Ecosystem release notes, interoperability matrices, security vulnerabilities, and links to other Data Fabric version documentation.
Glossary
Definitions for commonly used terms in MapR Converged Data Platform environments.

Configuring Inbound Impersonation

Administrators can configure inbound impersonation in the drill-override.conf file.

Complete the following steps to enable inbound impersonation:

If user impersonation is not enabled, you must enable it before configuring inbound impersonation. To enable user impersonation, edit /opt/mapr/drill/drill-<version>/drill-override.conf and set the option to true, as shown:
```
{
      drill.exec.impersonation.enabled: true,
      ...
      }
```

Define inbound impersonation policies. For example, the following ALTER SYSTEM statement authorizes:

puser1 to impersonate any user (use * as a wildcard character)
puser2 to impersonate euser1 and all users in egroup2

all users in pgroup3 to impersonate all users in egroup3

ALTER SYSTEM SET `exec.impersonation.inbound_policies`='[
  { proxy_principals : { users: ["puser1"] },
    target_principals: { users: ["*"] } },
  { proxy_principals : { users: ["puser2"] }, 
    target_principals: { users: ["euser1"], groups :  ["egroup2"] } },
  { proxy_principals : { groups: ["pgroup3"] },
    target_principals: { groups: ["egroup3"] } } ]';

Policy format:

{ proxy_principals : { users : ["...", "..."], groups : ["...", "..."] },
  target_principals: { users : ["...", "..."], groups : ["...", "..."] } }

Ensure that the proxy user (application) passes the username of the impersonation target user to Drill when creating a connection through the impersonation_target connection property. For example, through sqlline:
```
bin/sqlline -u "jdbc:drill:schema=dfs;zk=myclusterzk;impersonation_target=euser1" -n puser1 -p ppass1  
```

NOTE

In this example, puser1 is the user submitting the queries. This user is authenticated. Since this user is authorized to impersonate any user, queries through the established connection are run as euser1.

Partners Support Dev-Hub Community ALA Privacy Policy Glossary

HPE Data Fabric 8.0.0 Software Documentation
Abstract	This site contains documentation for HPE Data Fabric Software version 8.0.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	February 2026
Edition	8.0.0
Topic last updated	2018-09-18