How Impersonation Works

Introduces impersonation functionality, limitations, and core requirements.

When a user attempts to impersonate another user to the MapR-FS or MapR-DB systems and the configuration parameters for resolving the UID and GIDs on the server (see Resolving Username with UID and GIDs During Impersonation) are disabled:

The MapR client looks for that user name in the local operating system registry.
If the user name is:
- Found, MapR sends the user’s UID and GID to the server for impersonation.
- Not found in the local operating system registry, the user action is not processed.

When a user attempts to impersonate another user to the MapR-FS or MapR-DB systems and if the configuration parameters for resolving the UID and GIDs on the server (see Resolving Username with UID and GIDs During Impersonation) are enabled:

The MapR client asks CLDB to look for that user name and resolve the UID and GIDs for that user on the server.
If the user name is:
- Found on the server, the server allows the user to proceed with the impersonation.
- Not found, the user action is not processed.
NOTE: If the configuration property for resolving the username is set on the client and the configuration property for resolving the username is not set on CLDB, the operation will fail with an error.

Limitations on Impersonation

Impersonation does not work in MapR when you are accessing MapR-FS or MapR-DB through a MapR client running on Windows.

Core Requirements for Impersonation

The mapr superuser is allowed to access to the MapR-FS and MapR-DB systems. The following conditions must be met in order for the mapr superuser to be able to impersonate another MapR user:

The hadoop.proxyuser.mapr.groups andhadoop.proxyuser.mapr.hosts parameters must be set correctly in the core-site.xml file.
See Enabling Impersonation for the mapr Superuser.
These settings are not always required. The hadoop proxy user functionality is only applicable to ecosystem components included in the MapR distribution for Apache Hadoop. If the MapR client accesses an ecosystem component, such as JobTracker or HiveServer2, these settings may be required. These settings are never needed when the MapR client accesses MapR-FS or MapR-DB directly. Enabling impersonation here ensures that the correct settings are in place if they are needed.
The name of the MapR user that you want the mapr superuser to be able to impersonate must appear in the local operating system registry where the MapR client is running if server-side resolution of UID and GIDs is not enabled.
The UID and GUID of the user name under which the MapR client is running must match exactly the UID and GUID for that user name on the server.

For all other users with access to the MapR-FS and MapR-DB systems, the following conditions must be met for the user to impersonate another user.

A valid servicewithimpersonation ticket must be present for the user who intends to impersonate on the system.
The name of the MapR user to impersonate must appear in the local operating system registry where the MapR client is running if server-side resolution of UID and GIDs is not enabled.
The UID and GUID of the user name under which the MapR client is running must match exactly the UID and GUID for that user name on the server.

NOTE: If a user is not authorized to impersonate, then the operations will proceed as the user, not the target user, and some operations will succeed, and some will not even if the user has all the permissions for these operations. Also, if a user with full access and impersonating capability tries to impersonate another user, the operations will succeed only if the target user has permissions on the directory.

Component Requirements for Impersonation

Some MapR ecosystem components have additional requirements to enable impersonation.

The following components must have settings that support impersonation in the configuration files indicated, on each node where the component resides:

Drill: Edit the drill-env.sh file. See Configuring User Impersonation in the Apache Drill documentation.
Flume: Edit the flume.conf file. See Configure User Impersonation for Flume.
HBase: Edit the hbasesite.xml file. See Impersonation via the HBase REST Gateway.
HiveServer2: Edit the hive-site.xml file. See Hive User Impersonation.
Hue: Edit the hue.ini file. See Configure Hue with Impala.
Impala: Does not support impersonation.
Oozie: Edit the oozie-site.xml file. See User Impersonation for Oozie.
Spark: No special settings are required for Spark in MapReduce 2 (YARN) mode, since Spark automatically inherits the correct behavior from YARN. When running standalone, Spark cannot perform impersonation and should not be used if security is important.

Application Development Requirements

You can set up impersonation in an application programmatically.

C/C++: Use hb_connection_create_as_user(). See the “C API for impersonation” section of Creating C Apps - Binary Tables and Impersonation Example..
Java: Use UserGroupInformation.doAs(). See Class UserGroupInformation in the Hadoop documentation.