Enable Drill Impersonation with Hive

About this task

To configure Drill impersonation to work with Hive impersonation in a secure or insecure MapR cluster:

Modify the drill-env.sh and drill-override.conf files on each Drill node.
Update the Hive storage plugin configuration in Drill.
Restart Warden.

Prerequisites

The configurations described in this document have the following dependencies:

MapR version 4.1 or later
Drill 1.1 or later installed with Drillbits running as themapr user.
Supported version of Hive installed with the following:
- User impersonation enabled
- Configured Hive remote metastore repository
- (Optional) SQL standard based authorization or storage based authorization configured
  NOTE: See the Drill Support Matrix for supported versions of Hive.

Procedure

Modify <DRILL_HOME>/conf/drill-env.sh to include the required environment variables on each Drill node.

In an insecure cluster, include the following environment variable:
```
export MAPR_IMPERSONATION_ENABLED=true 
```

In a secure cluster, include the following environment variables:

export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.client=true”
export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Dmapr_sec_enabled=true -Dhadoop.login=maprsasl_keytab -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dmapr.library.flatclass"
export MAPR_TICKETFILE_LOCATION=/opt/mapr/conf/mapruserticket

Modify <DRILL_HOME>/conf/drill-override.conf file on each Drill node (in secure and insecure clusters) to enable impersonation in Drill, and set the maximum number of chained user hops that Drill allows. Add the following configuration properties to the drill.exe block in drill-override.conf:
```
drill.exec: {
 cluster-id: "<drill_cluster_name>",
 zk.connect: "<hostname>:5181,<hostname>:5181,<hostname>:5181"
 impersonation: {
       enabled: true,
       max_chained_user_hops: 3
 }
}
```
Modify the Hive storage plugin configuration in the Drill Web UI based on the authorization and security scenario for the cluster. You can only access the Drill Web UI for a running Drillbit.
Complete the following steps to modify the Hive storage plugin configuration:
1. Navigate to http://<drillbit_hostname>:8047, and select the Storage tab.
2. Click Update next to the hive option.
3. In the configuration window, add the required properties based on the authorization type and security scenario:
  - Storage Based Authorization or No Authorization Enabled:
    - Add the following properties to the configuration:
      { "type": "hive", "enabled": true, "configProps": { "hive.metastore.uris": "thrift://<metastore_hostname>:9083", "fs.default.name": "maprfs:///", "hive.server2.enable.doAs": "true" } }
    - Add the following additional properties if the Hive metastore is configured with Kerberos; include a comma after each line except for the last:
      "hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>" "hive.metastore.sasl.enabled": "true"
  - SQL Standard Based Authorization:
    - Add the following properties to the configuration:
      { "type": "hive", "enabled": true, "configProps": { "hive.metastore.uris": " thrift://<metastore_hostname>:9083", "fs.default.name": "maprfs:///", "hive.security.authorization.enabled": "true", "hive.security.authenticator.manager": "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator", "hive.security.authorization.manager": "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory", "hive.server2.enable.doAs": "false", "hive.metastore.execute.setugi": "true" } }
    - Add the following additional properties if the Hive metastore is configured with Kerberos; include a comma after each line except for the last:
      "hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>" "hive.metastore.sasl.enabled": "true"
Issue the following command on all nodes to restart the Warden service:
```
clush –a “service mapr-warden restart”
```