How Impersonation Works
Describes requirements for and limitations on impersonation.
When the mapr superuser attempts to impersonate another user to the MapR-FS or MapR-DB systems:
- The MapR client looks for that user name in the local operating system registry.
- If the user name is found, MapR sends the user’s UID and GID to the server for
impersonation.
If the user name is not found in the local operating system registry, the user action is not processed.
Limitations on Impersonation
Impersonation does not work in MapR when you are accessing:
- MapR-FS or MapR-DB through a MapR client running on Windows.
- MapR-FS or MapR-DB, if you attempt to have any user other than the MapR superuser impersonate another user.
Core Requirements for Impersonation
Only the mapr superuser is allowed to access to the MapR-FS and MapR-DB systems. Three conditions must be met in order for the mapr superuser to be able to impersonate another MapR user:
- The
hadoop.proxyuser.mapr.groupsandhadoop.proxyuser.mapr.hostsparameters must be set correctly in thecore-site.xmlfile.See Enabling Impersonation for the mapr Superuser.
These settings are not always required. If the MapR client accesses an ecosystem component, such as JobTracker or HiveServer2, these settings may be required. These settings are never needed when the MapR client accesses MapR-FS or MapR-DB directly. Enabling impersonation here ensures that the correct settings are in place if they are needed.
- The name of the MapR user that you want the mapr superuser to be able to impersonate must appear in the local operating system registry where the MapR client is running.
- The UID and GUID of the user name under which the MapR client is running must match exactly the UID and GUID for that user name on the server.
Component Requirements for Impersonation
Some MapR ecosystem components have additional requirements to enable impersonation.
The following components must have settings that support impersonation in the configuration files indicated, on each node where the component resides:
- Drill: Edit the
drill-env.shfile. See Configuring User Impersonation in the Apache Drill documentation. - Flume: Edit the
flume.conffile. See Configure User Impersonation for Flume. - HBase: Edit the
hbasesite.xmlfile. See Impersonation via the HBase REST Gateway. - HiveServer2: Edit the
hive-site.xmlfile. See Hive User Impersonation. - Hue: Edit the
hue.inifile. See Configure Hue with Impala. - Impala: Does not support impersonation.
- Oozie: Edit the
oozie-site.xmlfile. See User Impersonation for Oozie. - Spark: No special settings are required for Spark in MapReduce 2 (YARN) mode, since Spark automatically inherits the correct behavior from YARN. When running standalone, Spark cannot perform impersonation and should not be used if security is important.
Application Development Requirements
You can set up impersonation in an application programmatically.
- C/C++: Use
hb_connection_create_as_user(). See the “C API for impersonation” section of Creating MapR-DB Applications with C and Sample Application for Impersonation Support. - Java: Use
UserGroupInformation.doAs(). See Class UserGroupInformation in the Hadoop documentation.