Configuring Impala Delegation for Clients
When users submit Impala queries through a separate client application, such as Hue or a business intelligence tool, typically all requests are treated as coming from the same user. In Impala 1.2 and higher, Impala supports "delegation" where users whose names you specify can delegate the execution of a query to another user. The query runs with the privileges of the delegated user, not the original authenticated user.
Starting in Impala 3.1 and higher, you can
delegate using groups. Instead of listing a large number of delegated users, you can
create a group of those users and specify the delegated group name in the
impalad startup option. The client sends the delegated user name, and
Impala performs an authorization to see if the delegated user belongs to a delegated
The name of the delegated user is passed using the HiveServer2 protocol configuration
impala.doas.user when the client connects to Impala.
Currently, the delegation feature is available only for Impala queries submitted through application interfaces such as Hue and BI tools. For example, Impala cannot issue queries using the privileges of the HDFS user.
- When the delegation is enabled in Impala, the Impala clients should take an extra caution to prevent unauthorized access for the delegate-able users.
- Impala requires Apache Ranger on the cluster to enable delegation.
The delegation feature is enabled by the startup options for impalad:
The syntax for the options are:
The list of authorized users/groups are delimited with
The list of delegated users/groups are delimited with
‑‑authorized_proxy_user_config_delimiterstartup option to override the default user delimiter (the comma character) to another character.
‑‑authorized_proxy_group_config_delimiterstartup option to override the default group delimiter ( (the comma character) to another character.
*) is supported to delegated to any users or any groups, e.g.
‑‑authorized_proxy_group_config=hue=*. Make sure to use single quotes or escape characters to ensure that any
*characters do not undergo wildcard expansion when specified in command-line arguments.
When you start Impala with the
- Authentication is based on the user on the left hand side (authenticated_user).
- Authorization is based on the right hand side user(s) or group(s) (delegated_user, delegated_group).
When opening a client connection, the client must provide a delegated username via the
HiveServer2 protocol property,
When the client connects over HTTP, the
doAsparameter can be specified in the HTTP path, e.g.
- It is not necessary for authenticated_user to have the permission to access/edit files.
- It is not necessary for the delegated users to have access to the service via Kerberos.
- delegated_user and delegated_group must exist in the OS.
- For group delegation, use the JNI-based mapping providers for group delegation, such as JniBasedUnixGroupsMappingWithFallback and JniBasedUnixGroupsNetgroupMappingWithFallback.
ShellBasedUnixGroupsNetgroupMapping and ShellBasedUnixGroupsMapping Hadoop group mapping
providers are not supported in Impala group delegation by default. To enable them, flag
enable_shell_based_groups_mappingneeds to be enabled.
user()returns authenticated_user and
effective_user()returns the delegated user that the client specified.
impaladdaemon starts with one of the following options:
A client connects to Impala via the HiveServer2 protocol with the
impala.doas.userconfiguration property, e.g. connected user is authenticated_user with
- The client user authenticated_user sends a request to Impala as the delegated user delegated_user.
Impala checks authorization:
- In user delegation, Impala checks if delegated_user is in the list of authorized delegate users for the user authenticated_user.
- In group delegation, Impala checks if delegated_user belongs to one of the delegated groups for the user authenticated_user, delegated_group in this example.
- If the user is an authorized delegated user for authenticated_user, the request is executed as the delegate user delegated_user.
See Modifying Impala Startup Options for details about adding or changing impalad startup options.
See this blog post for background information about the delegation capability in HiveServer2.
To set up authentication for the delegated users:
On the server side, configure either user/password authentication through LDAP, or Kerberos authentication, for all the delegated users. See Enabling LDAP Authentication for Impala or Enabling Kerberos Authentication for Impala for details.
On the client side, to learn how to enable delegation, consult the documentation for the ODBC driver you are using.