HPE Ezmeral Data Fabric 6.1.x is In Maintenance and transitions to "End of Maintenance" in June 2024. Please see the latest documentation.

About MapR 6.1
This site contains the main documentation for Version 6.1 of the MapR Converged Data Platform, including installation, configuration, administration, and reference information.
6.1 Installation
This section contains information about installing and upgrading MapR software. It also contains information about how to migrate data and applications from an Apache Hadoop cluster to a MapR cluster.
6.1 MapR Data Platform
MapR Data Platform is the industry-leading data platform for AI and analytics that solves enterprise business needs.
6.1 Administration
This section describes how to manage the nodes and services that make up a cluster.
6.1 Development
This section contains information related to application development for Ezmeral ecosystem components and MapR Data Platform products, including the file system, Database (Key-Value and JSON), and Event Streams.
- Application Development Process
  Before you start developing applications on the MapR Data Platform platform, consider how you will get the data into the platform, the storage format of the data, the type of processing or modeling that is required, and how the data will be accessed.
- MapR XD and Apps
  The following sections provide information about accessing the MapR XD with C and Java applications.
- MapR Database and Apps
  This section contains information about developing client applications for JSON and key-value tables.
- MapR Event Store For Apache Kafka and Apps
  MapR Event Store For Apache Kafka brings integrated publish and subscribe messaging to MapR Data Platform.
- MapReduce and Apps
  This section contains information associated with developing YARN applications.
- MapR Data Science Refinery
  The MapR Data Science Refinery product is an easy-to-deploy and scalable data science toolkit with native access to all platform assets and superior out-of-the-box security.
- MapR Data Fabric for Kubernetes
  This section describes how to leverage the capabilities of the MapR Data Fabric for Kubernetes.
- Ecosystem Components
  The following sections provide information about each open-source project that is supported by the MapR Data Platform.
  - Ezmeral Ecosystem Packs
  - AsyncHBase
  - Cascading
  - Apache Drill
    - Drill Tutorial
    - Drill-on-YARN
    - Configuring Drill
      Lists the MapR-specific configuration for Drill.
    - Working with Drill
    - Securing Drill
      An administrator can install Drill with the default security configuration or manually configure custom security for Drill.
      - Roles and Privileges
        Drill has USER and ADMIN roles. Each role can perform different functions in Drill.
      - Drill Default Security
        The default security configuration uses MapR-SASL (tickets) for authentication, authorization, and encryption to automatically secure the MapR cluster and ecosystem components when you install them manually or using the MapR Installer.
      - User Impersonation
        Impersonation allows a service to act on behalf of a client while performing the action requested by the client. By default, user impersonation is disabled in Drill. You can configure user impersonation in the /opt/mapr/drill/drill-<version>/drill-override.conf file.
        Impersonation and Views
        You can use views with impersonation to provide granular access to data and protect sensitive information.
        Chained Impersonation
        You can configure Drill to allow chained impersonation on views when you enable impersonation in the drill-override.conf file. Chained impersonation controls the number of identity transitions that Drill can make when a user queries a view. Each identity transition is equal to one hop.
        Configuring Impersonation and Chaining
        Impersonation allows a service to act on behalf of a client while performing the action requested by the client. Chaining is a system-wide setting that applies to all views. Currently, Drill does not provide an option to allow different chain lengths for different views.
        Example: Impersonation and Chaining
        This example demonstrates how to use impersonation and chaining to limit access to data. Impersonation allows a service to act on behalf of a client while performing the action requested by the client. Chaining controls the number of identity transitions that Drill can make when a user queries a view.
        User Impersonation with Hive
        Configuring User Impersonation with Hive
        Complete the following steps on a secure or insecure MapR cluster to configure user impersonation with Hive:
        Inbound Impersonation
        An administrator can define inbound impersonation policies to impersonate the end user.
      - MapR Security (Tickets)
        Drill supports authentication and encryption through the MapR Security (tickets) security mechanism. Authentication is the process of establishing confidence of authenticity. Encryption is the process of converting information or data from plain text into ciphertext to prevent unauthorized access. An administrator can manually configure Drill to use MapR Security. When MapR Security is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drillbits through MapR Security.
      - Kerberos
        Drill supports Kerberos v5 network security authentication and encryption. Kerberos is a network authentication protocol built on symmetric-key cryptography. Kerberos eliminates the need to store passwords locally or send them over the network and reduces the risk of impersonation.
      - Plain Authentication
        An administrator can configure Drill to use the Linux pluggable authentication module (PAM) for Plain (username and password) authentication. PAM provides an authentication module that interfaces with any installed PAM authentication entity, such as the local operating system password file (/etc/passwd) or LDAP.
      - SSL/TLS for Encryption
        You can enable SSL for Drill in a secure or unsecure cluster. SSL (Secure Sockets Layer), more recently called TLS, is a security mechanism that encrypts data passed between the Drill client and Drillbit (server). SSL also provides one-way authentication through which the Drill client verifies the identity of the Drillbit.
      - Security Between ZooKeeper and Drillbits
        When Drill is installed on clusters with the default security enabled, authentication is enabled between the Drillbits and ZooKeeper. The ZooKeeper znode information is secured automatically through authentication and znode ACLs. Communication between the Drillbits and Zookeeper is not encrypted.
      - Configuring Drill Web UI and Web API Security
        The Drill web client and web API communicate with web browsers or web tools, like curl, through the HTTP or HTTPS. Drill uses HTTP by default.
      - SPNEGO for HTTP Authentication
        Drill 1.13 and later supports the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) to extend the Kerberos-based single sign-on authentication mechanism to HTTP. An administrator configures the web server (Drillbit) to use SPNEGO for authentication. Depending on the system, either the administrator or the user configures the client (web browser or web client tool) to use SPNEGO for authentication.
      - Using ACEs on Views to Limit Data Access
        Describes how to use access control expressions to limit data access for Views.
    - Drill Drivers
      HPE Ezmeral Data Fabric provides Drill ODBC and JDBC drivers that you can download and use to connect Drill to BI tools. The drivers are updated periodically to include support for new functionality in Drill.
    - Drill Configuration Files
      The Drill installation includes configuration files with start-up options that you can modify prior to starting Drill.
    - Monitoring Drill Metrics
    - Optimizing Queries with Indexes
      MapR Database provides a highly scalable key-value database platform on which you can run SQL queries using Drill. As of the 6.0 release of the MapR Data Platform, MapR Database natively supports indexes on secondary fields in JSON tables.
    - Drill Limitations
      Provides information about Drill limitations and solutions where applicable.
    - Vulnerability Reports
      Provides vulnerability information in relation to Drill.
  - Flume
  - HBase
  - HBase Client and MapR Database Binary Tables
  - HCatalog
  - Hive
  - HttpFS
  - Hue
  - Impala
  - Livy
    Apache Livy is primarily used to provide integration between Hue and Spark.
  - MapR Event Store For Apache Kafka Clients and Tools
    Describes the supported MapR Event Store For Apache Kafka tools and clients.
  - S3 Gateway
    The S3 gateway is a service that provides an S3-compatible interface to expose data in MapR Data Platform as objects. The S3 gateway manages all inbound S3 API requests to put data into and get data out of cloud storage.
  - Myriad
  - Oozie
  - Pig
  - Sentry
  - Apache Spark
  - Sqoop
  - YARN
  - Zeppelin
- Maven and MapR
  This section discusses topics associated with Maven and MapR.
- Developer's Reference
  This section contains in-depth information for the developer.
- API Documentation
  MapR Data Platform supports public APIs for MapR File System, MapR Database, and MapR Event Store For Apache Kafka. These APIs are available for application-development purposes.
Other Docs
This section contains release-independent information, including: MapR Installer documentation, Ecosystem release notes, interoperability matrices, security vulnerabilities, and links to other MapR version documentation.
Glossary
Definitions for commonly used terms in MapR Converged Data Platform environments.

User Impersonation with Hive

You can configure Drill impersonation with Hive impersonation to authorize access to metadata in the Hive metastore repository and data in the Hive warehouse. Drill impersonation works with Hive when Hive has impersonation enabled and optionally, storage based or SQL standard based authorization enabled. Drill impersonation can also work with Hive when the Hive metastore has Kerberos enabled on a secure cluster. Currently, Drill does not support Hive configured with Sentry authorization.

Storage Based Authorization

Hive storage based authorization is a remote metastore server security feature that uses the underlying filesystem permissions to determine permissions on databases, tables, and partitions. The permissions a user or group has on directories in the filesystem determines access to data. Because the filesystem controls access at the directory and file level, storage based authorization cannot control access to data at the column or view level.

You manage user and group privileges through permissions and access controls in the distributed filesystem. DDL statements that manage permissions, such as GRANT and REVOKE, do not have any effect on permissions in the storage based authorization model.

For more information, see Storage Based Authorization in the Metastore Server.

SQL Standard Based Authorization

The SQL standard based authorization model can control which users have access to columns, rows, and views. SQL standard based authorization is configured in HiverServer2 and enforced during query processing. Users with the appropriate permissions can issue the GRANT and REVOKE statements to manage privileges from Hive.

For more information, see SQL Standard Based Hive Authorization.

Prerequisites

To configure user impersonation with Hive, the system must meet the following requirements:

MapR version 4.1 or later
Drill installed with Drillbits running as the mapr user
Supported version of Hive installed with the following:
- User impersonation enabled
- Configured Hive remote metastore repository
- (Optional) SQL standard based authorization or storage based authorization configured
  NOTE See EEP Components and OS Support for supported versions of Hive.

Configuration

Complete the steps listed in Configuring User Impersonation with Hive.