jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2026-01-07 09:02:19 -05:00
Code Issues Projects Releases Wiki Activity
Files
09ff2fca2ecce1544e4e589a831fcfb02edc4f13
impala/docs/topics/impala_delegation.xml
John Russell d9602df71b IMPALA-4643: [DOCS] Phase 2 of genericizing cloudera.com links 
Get rid of cloudera.com URLs within the topics/*.xml source files.

Abstract any that need to remain (e.g. blog posts) into impala_keydefs
file for easy examining and editing.

After this change, the number of source/artifact references to CDH and
Cloudera is small enough that we can enumerate exceptions and start the endgame:

Cleanup items remaining in XML source files:
grep -EiI "[^a-zA-Z]cm[^a-zA-Z]|cdh|cloudera" *.xml |
  grep -v issues.cloudera.org | wc -l
282
Cleanup items remaining in HTML output files:
grep -EiI "[^a-zA-Z]cm[^a-zA-Z]|cdh|cloudera" ../build/html/topics/*.html |
  grep -v issues.cloudera.org | wc -l
148

(These numbers will go down further when the 'installing' and 'updating'
edits land in master.)

Change-Id: I9e29c0feec7bd8e974d8a3d1eb84abe757514be7
Reviewed-on: http://gerrit.cloudera.org:8080/6345
Reviewed-by: John Russell <jrussell@cloudera.com>
Tested-by: Impala Public Jenkins
2017-03-13 23:49:56 +00:00

103 lines
4.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept rev="1.2" id="delegation">
<title>Configuring Impala Delegation for Hue and BI Tools</title>
<prolog>
<metadata>
<data name="Category" value="Security"/>
<data name="Category" value="Impala"/>
<data name="Category" value="Authentication"/>
<data name="Category" value="Delegation"/>
<data name="Category" value="Hue"/>
<data name="Category" value="Administrators"/>
<data name="Category" value="Developers"/>
<data name="Category" value="Data Analysts"/>
</metadata>
</prolog>
<conbody>
<p>
<!--
When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry
authorization framework determines what actions they can take and what data they can see.
-->
When users submit Impala queries through a separate application, such as Hue or a business intelligence tool,
typically all requests are treated as coming from the same user. In Impala 1.2 and higher, authentication is
extended by a new feature that allows applications to pass along credentials for the users that connect to
them (known as <q>delegation</q>), and issue Impala queries with the privileges for those users. Currently,
the delegation feature is available only for Impala queries submitted through application interfaces such as
Hue and BI tools; for example, Impala cannot issue queries using the privileges of the HDFS user.
</p>
<p>
The delegation feature is enabled by a startup option for <cmdname>impalad</cmdname>:
<codeph>--authorized_proxy_user_config</codeph>. When you specify this option, users whose names you specify
(such as <codeph>hue</codeph>) can delegate the execution of a query to another user. The query runs with the
privileges of the delegated user, not the original user such as <codeph>hue</codeph>. The name of the
delegated user is passed using the HiveServer2 configuration property <codeph>impala.doas.user</codeph>.
</p>
<p>
You can specify a list of users that the application user can delegate to, or <codeph>*</codeph> to allow a
superuser to delegate to any other user. For example:
</p>
<codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock>
<note>
Make sure to use single quotes or escape characters to ensure that any <codeph>*</codeph> characters do not
undergo wildcard expansion when specified in command-line arguments.
</note>
<p>
See <xref href="impala_config_options.xml#config_options"/> for details about adding or changing
<cmdname>impalad</cmdname> startup options. See
<xref keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive">this
blog post</xref> for background information about the delegation capability in HiveServer2.
</p>
<p>
To set up authentication for the delegated users:
</p>
<ul>
<li>
<p>
On the server side, configure either user/password authentication through LDAP, or Kerberos
authentication, for all the delegated users. See <xref href="impala_ldap.xml#ldap"/> or
<xref href="impala_kerberos.xml#kerberos"/> for details.
</p>
</li>
<li>
<p>
On the client side, to learn how to enable delegation, consult the documentation
for the ODBC driver you are using.
</p>
</li>
</ul>
</conbody>
</concept>
Reference in New Issue View Git Blame Copy Permalink