Repository: impala Updated Branches: refs/heads/master 1ca077fd0 -> 2362b672c
[DOCS] Sentry is required for Impala to enable delegation Change-Id: I002d3d33eee6a9b9336f21c81a4de75ed3bd5efb Reviewed-on: http://gerrit.cloudera.org:8080/10451 Reviewed-by: Sailesh Mukil <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/a22ee641 Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/a22ee641 Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/a22ee641 Branch: refs/heads/master Commit: a22ee6419c4fa1ed7dfb04ca9930f1e791a85411 Parents: 1ca077f Author: Alex Rodoni <[email protected]> Authored: Fri May 18 12:24:02 2018 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Thu May 24 18:26:27 2018 +0000 ---------------------------------------------------------------------- docs/topics/impala_delegation.xml | 93 +++++++++++++++------------------- 1 file changed, 42 insertions(+), 51 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/a22ee641/docs/topics/impala_delegation.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_delegation.xml b/docs/topics/impala_delegation.xml index 73ae658..c524bf5 100644 --- a/docs/topics/impala_delegation.xml +++ b/docs/topics/impala_delegation.xml @@ -36,67 +36,58 @@ under the License. </prolog> <conbody> - <p> -<!-- + <!-- When users connect to Impala directly through the <cmdname>impala-shell</cmdname> interpreter, the Sentry authorization framework determines what actions they can take and what data they can see. --> - When users submit Impala queries through a separate application, such as Hue or a business intelligence tool, - typically all requests are treated as coming from the same user. In Impala 1.2 and higher, authentication is - extended by a new feature that allows applications to pass along credentials for the users that connect to - them (known as <q>delegation</q>), and issue Impala queries with the privileges for those users. Currently, - the delegation feature is available only for Impala queries submitted through application interfaces such as - Hue and BI tools; for example, Impala cannot issue queries using the privileges of the HDFS user. - </p> - - <p> - The delegation feature is enabled by a startup option for <cmdname>impalad</cmdname>: - <codeph>--authorized_proxy_user_config</codeph>. When you specify this option, users whose names you specify - (such as <codeph>hue</codeph>) can delegate the execution of a query to another user. The query runs with the - privileges of the delegated user, not the original user such as <codeph>hue</codeph>. The name of the - delegated user is passed using the HiveServer2 configuration property <codeph>impala.doas.user</codeph>. - </p> - - <p> - You can specify a list of users that the application user can delegate to, or <codeph>*</codeph> to allow a - superuser to delegate to any other user. For example: - </p> - -<codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock> - - <note> - Make sure to use single quotes or escape characters to ensure that any <codeph>*</codeph> characters do not - undergo wildcard expansion when specified in command-line arguments. - </note> - - <p> - See <xref href="impala_config_options.xml#config_options"/> for details about adding or changing - <cmdname>impalad</cmdname> startup options. See - <xref keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive">this - blog post</xref> for background information about the delegation capability in HiveServer2. - </p> - <p> - To set up authentication for the delegated users: - </p> - + When users submit Impala queries through a separate application, such as + Hue or a business intelligence tool, typically all requests are treated as + coming from the same user. In Impala 1.2 and higher,Impala supports + applications to pass along credentials for the users that connect to them, + known as <q>delegation</q>, and to issue Impala queries with the + privileges for those users. Currently, the delegation feature is available + only for Impala queries submitted through application interfaces such as + Hue and BI tools. For example, Impala cannot issue queries using the + privileges of the HDFS user. </p> + <note type="attention">Impala requires Apache Sentry on the cluster to + enable delegation. Without Apache Sentry installed, the delegation feature + will fail with the following error: User <i>user1</i> is not authorized to + delegate to <i>user2</i> User delegation is disabled.</note> + <p> The delegation feature is enabled by a startup option for + <cmdname>impalad</cmdname>: + <codeph>--authorized_proxy_user_config</codeph>. When you specify this + option, users whose names you specify (such as <codeph>hue</codeph>) can + delegate the execution of a query to another user. The query runs with the + privileges of the delegated user, not the original user such as + <codeph>hue</codeph>. The name of the delegated user is passed using the + HiveServer2 configuration property <codeph>impala.doas.user</codeph>. </p> + <p> You can specify a list of users that the application user can delegate + to, or <codeph>*</codeph> to allow a superuser to delegate to any other + user. For example: </p> + <codeblock>impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...</codeblock> + <note> Make sure to use single quotes or escape characters to ensure that + any <codeph>*</codeph> characters do not undergo wildcard expansion when + specified in command-line arguments. </note> + <p> See <xref href="impala_config_options.xml#config_options"/> for details + about adding or changing <cmdname>impalad</cmdname> startup options. See + <xref + keyref="how-hiveserver2-brings-security-and-concurrency-to-apache-hive" + >this blog post</xref> for background information about the delegation + capability in HiveServer2. </p> + <p> To set up authentication for the delegated users: </p> <ul> <li> - <p> - On the server side, configure either user/password authentication through LDAP, or Kerberos - authentication, for all the delegated users. See <xref href="impala_ldap.xml#ldap"/> or - <xref href="impala_kerberos.xml#kerberos"/> for details. - </p> + <p> On the server side, configure either user/password authentication + through LDAP, or Kerberos authentication, for all the delegated users. + See <xref href="impala_ldap.xml#ldap"/> or <xref + href="impala_kerberos.xml#kerberos"/> for details. </p> </li> - <li> - <p> - On the client side, to learn how to enable delegation, consult the documentation - for the ODBC driver you are using. - </p> + <p> On the client side, to learn how to enable delegation, consult the + documentation for the ODBC driver you are using. </p> </li> </ul> - </conbody> </concept>
