Configuring User Impersonation for Access to Hive
User impersonation runs Hive queries under the user ID associated with the Zeppelin session.
If Kerberos is not enabled on the cluster, no additional configuration steps are required.
If Kerberos is enabled on the cluster, enable user impersonation as follows:
To configure the %jdbc
interpreter, complete the following steps:
In Hive configuration settings, set
hive.server2.enable.doAs
totrue
.In the Zeppelin UI, navigate to the
%jdbc
section of the Interpreter page.Enable authentication via the Shiro configuration: specify authorization type, keytab, and principal.
Set
zeppelin.jdbc.auth.type
toKERBEROS
.Set
zeppelin.jdbc.principal
to the value of the principal.Set
zeppelin.jdbc.keytab.location
to the keytab location.
Set
hive.url
to the URL for HiveServer2. (On an Ambari-managed cluster you can find the URL under Hive > HiveServer2 JDBC URL.) Here is the general format:jdbc:hive2://HiveHost:10001/default;principal=hive/_HOST@HOST1.COM;hive.server2.proxy.user=testuser
The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:
jdbc:hive2://dkhdp253.dk:2181,dkhdp252.dk:2181,dkhdp251.dk:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
For information about authenticating Zeppelin users through Active Directory or LDAP, see Configuring Zeppelin Security.