Cloudera Docs

Configuring Group Impersonation in Knox

Configure group impersonation in Knox to allow users in specific groups to impersonate other users.

Knox supports group impersonation in addition to user impersonation. This feature enables users in specific groups to impersonate other users, providing greater flexibility and control in managing user impersonation.

If both user impersonation and group impersonation are configured, user impersonation takes precedence. This is because user configurations are more specific and provide finer control.

Configure the hadoop.proxygroup.* parameters to authorize impersonation based on group membership.

  1. Edit your Knox topology file or shared provider configuration by adding group-based impersonation parameters to the identity provider. 
    
                        <provider>
                        <role>identity-assertion</role>
                        <name>Default</name>
                        <param>
                        <name>hadoop.proxygroup.analysts.users</name>
                        <value>hdfs,yarn,hive</value>
                        </param>
                        <param>
                        <name>hadoop.proxygroup.analysts.groups</name>
                        <value>data-scientists,data-analysts</value>
                        </param>
                        <param>
                        <name>hadoop.proxygroup.analysts.hosts</name>
                        <value>*.company.com</value>
                        </param>
                        </provider>
  2. Restart Knox to apply the configuration.

Group impersonation is now configured for your Cloudera cluster. Users who belong to the specified groups can impersonate the configured target users based on the defined authorization rules.

How it works:

  1. Knox first checks for user-specific impersonation rules by using the hadoop.proxyuser.* parameters.
  2. If no user-specific rules exist or they deny access, Knox checks group-based rules by using the hadoop.proxygroup.* parameters.
  3. Knox validates the user's group membership against the configured identity provider that is LDAP or Active Directory.
  4. If the user belongs to an authorized group, Knox forwards the impersonation request to the appropriate service, such as HDFS, YARN, or Hive.
  5. The service processes the request using the permissions of the impersonated service account.