Configuring Impala Delegation for Clients

When users submit Impala queries through a separate client application, such as Hue or a business intelligence tool, typically all requests are treated as coming from the same user. In Impala 1.2 and higher, Impala supports "delegation" where users whose names you specify can delegate the execution of a query to another user. The query runs with the privileges of the delegated user, not the original authenticated user.

Starting in Impala 3.1 and higher, you can delegate using groups. Instead of listing a large number of delegated users, you can create a group of those users and specify the delegated group name in the impalad startup option. The client sends the delegated user name, and Impala performs an authorization to see if the delegated user belongs to a delegated group.

The name of the delegated user is passed using the HiveServer2 protocol configuration property impala.doas.user when the client connects to Impala.

Currently, the delegation feature is available only for Impala queries submitted through application interfaces such as Hue and BI tools. For example, Impala cannot issue queries using the privileges of the HDFS user.

Attention:

The delegation feature is enabled by the startup options for impalad: ‑‑authorized_proxy_user_config and ‑‑authorized_proxy_group_config.

The syntax for the options are:

‑‑authorized_proxy_user_config=authenticated_user1=delegated_user1,delegated_user2,...;authenticated_user2=...
‑‑authorized_proxy_group_config=authenticated_user1=delegated_group1,delegated_group2,...;authenticated_user2=...

When you start Impala with the ‑‑authorized_proxy_user_config=authenticated_user=delegated_user or ‑‑authorized_proxy_group_config=authenticated_user=delegated_group option:

The user or group delegation process works as follows:
  1. The impalad daemon starts with one of the following options:
    • ‑‑authorized_proxy_user_config=authenticated_user=delegated_user
    • ‑‑authorized_proxy_group_config=authenticated_user=delegated_group
  2. A client connects to Impala via the HiveServer2 protocol with the impala.doas.user configuration property, e.g. connected user is authenticated_user with impala.doas.user=delegated_user.
  3. The client user authenticated_user sends a request to Impala as the delegated user delegated_user.
  4. Impala checks authorization:
    • In user delegation, Impala checks if delegated_user is in the list of authorized delegate users for the user authenticated_user.
    • In group delegate, Impala checks if delegated_user belongs to one of the delegated groups for the user authenticated_user, delegated_group in this example.
  5. If the user is an authorized delegated user for authenticated_user, the request is executed as the delegate user delegated_user.

See Modifying Impala Startup Options for details about adding or changing impalad startup options.

See this blog post for background information about the delegation capability in HiveServer2.

To set up authentication for the delegated users: