Configuring User Impersonation with Hive

Insecure Cluster

On an insecure cluster, include the following environment variable:

export MAPR_IMPERSONATION_ENABLED=true

Secure Cluster

On a secure cluster, include the following environment variables:

export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.client=true"
export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Dmapr_sec_enabled=true -Dhadoop.login=maprsasl_keytab -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dmapr.library.flatclass"
export MAPR_TICKETFILE_LOCATION=/opt/mapr/conf/mapruserticket

drill.exec: {
 cluster-id: "<drill_cluster_name>",
 zk.connect: "<hostname>:5181,<hostname>:5181,<hostname>:5181"
 impersonation: {
       enabled: true,
       max_chained_user_hops: 3
 }
}

1. Navigate to http://<drillbit_hostname>:8047, and select the Storage tab.
2. Click Update next to the hive option.
3. In the configuration window, add the required properties based on the authorization type and security scenario:

   Storage Based Authorization or No Authorization Enabled

   For a insecure cluster, add the following properties to the configuration:

   {
    type:"hive",
    enabled: true,
    configProps : {
      "hive.metastore.uris" : "thrift://<metastore_hostname>:9083",
      "fs.default.name" : "maprfs:///",
      "hive.metastore.sasl.enabled" : "false",
      "hive.server2.enable.doAs" : "true",
      "hive.metastore.execute.setugi" : "true"
    }
   }

   For a secure cluster, add the following properties to the configuration:

   {
   "type": "hive",
   "enabled": true,
   "configProps": {
     "hive.metastore.uris": "thrift://<metastore_hostname>:9083",
     "fs.default.name": "maprfs:///",
     "hive.server2.enable.doAs": "true"
      }
   } 

   Add the following additional properties if the Hive metastore is configured with Kerberos in a secure cluster; include a comma after each line except for the last:

   "hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>"
   "hive.metastore.sasl.enabled": "true"

   SQL Standard Based Authorization

   For an insecure cluster, add the following properties to the configuration:

   {
    type:"hive",
    enabled: true,
    configProps : {
      "hive.metastore.uris" : "thrift://<metastore_hostname>:9083",
      "fs.default.name" : "maprfs:///",
      "hive.security.authorization.enabled" : "true",
      "hive.security.authenticator.manager" : "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator",
      "hive.security.authorization.manager" : "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory",
      "hive.metastore.sasl.enabled" : "false",
      "hive.server2.enable.doAs" : "false",
      "hive.metastore.execute.setugi" : "false"
    }
   }

   For a secure cluster, add the following properties to the configuration:

   {
   "type": "hive",
   "enabled": true,
   "configProps": {
     "hive.metastore.uris": " thrift://<metastore_hostname>:9083",
     "fs.default.name": "maprfs:///",
     "hive.security.authorization.enabled": "true",
     "hive.security.authenticator.manager": "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator",
     "hive.security.authorization.manager": "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory",
     "hive.server2.enable.doAs": "false",
     "hive.metastore.execute.setugi": "true"
    }
   }

   Add the following additional properties if the Hive metastore is configured with Kerberos in a secure cluster; include a comma after each line except for the last:

   "hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>"
   "hive.metastore.sasl.enabled": "true"

service mapr-warden restart

clush -a "service mapr-warden restart"