Configuring User Impersonation for Access to Hive
User impersonation runs Hive queries under the user ID associated with the Zeppelin session.
If Kerberos is not enabled on the cluster, complete the following steps:
In the Zeppelin UI, navigate to the
%jdbcsection of the Interpreter page.Click edit, then add a
hive.proxy.user.propertyproperty and set its value tohive.server2.proxy.user.Click Save, then click restart to restart the JDBC interpreter.
If Kerberos is enabled on the cluster, enable user impersonation as follows:
To configure the %jdbc interpreter, complete the following steps:
In Hive configuration settings, set
hive.server2.enable.doAstotrue.In the Zeppelin UI, navigate to the
%jdbcsection of the Interpreter page.Enable authentication via the Shiro configuration: specify authorization type, keytab, and principal.
Set
zeppelin.jdbc.auth.typetoKERBEROS.Set
zeppelin.jdbc.principalto the value of the principal.Set
zeppelin.jdbc.keytab.locationto the keytab location.
Set
hive.urlto the URL for HiveServer2. (On an Ambari-managed cluster you can find the URL under Hive > HiveServer2 JDBC URL.) Here is the general format:jdbc:hive2://HiveHost:10001/default;principal=hive/_HOST@HOST1.COM;hive.server2.proxy.user=testuser
The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:
jdbc:hive2://dkhdp253.dk:2181,dkhdp252.dk:2181,dkhdp251.dk:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
Add a
hive.proxy.user.propertyproperty and set its value tohive.server2.proxy.user.Click Save, then click restart to restart the interpreter.
For information about authenticating Zeppelin users through Active Directory or LDAP, see Configuring Zeppelin Security.