Configure User Impersonation for Access to Hive
This section describes how to configure Apache Zeppelin user impersonation for Apache Hive.
User impersonation runs Hive queries under the user ID associated with the Zeppelin session.
Non-Kerberos Cluster
If Kerberos is not enabled on the cluster, complete the following steps:
- In the Zeppelin UI, navigate to the
%jdbc
section of the Interpreter page. - Click edit, then add a
hive.proxy.user.property
property and set its value tohive.server2.proxy.user
. - Click Save, then click restart to restart the JDBC interpreter.
Kerberos-enabled Cluster
If Kerberos is enabled on the cluster, enable user impersonation as follows:
To configure the %jdbc
interpreter, complete the following steps:
- In Hive configuration settings, set
hive.server2.enable.doAs
totrue
. - In the Zeppelin UI, navigate to the
%jdbc
section of the Interpreter page. - Enable authentication via the Shiro configuration: specify authorization type,
keytab, and principal.
- Set
zeppelin.jdbc.auth.type
toKERBEROS
. - Set
zeppelin.jdbc.principal
to the value of the principal. - Set
zeppelin.jdbc.keytab.location
to the keytab location.
- Set
- Set
hive.url
to the URL for HiveServer2. (On an Ambari-managed cluster you can find the URL under Hive > HiveServer2 JDBC URL.) Here is the general format:jdbc:hive2://HiveHost:10001/default;principal=hive/_HOST@HOST1.COM;hive.server2.proxy.user=testuser
The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:
jdbc:hive2://dkhdp253.dk:2181,dkhdp252.dk:2181,dkhdp251.dk:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
- Add a
hive.proxy.user.property
property and set its value tohive.server2.proxy.user
. - Click Save, then click restart to restart the interpreter.
For information about authenticating Zeppelin users through Active Directory or LDAP, see "Configuring Zeppelin Security" in this guide.