Configuring Delegation for Clients

Impala supports user delegation for client connections.

When users submit Impala queries through a separate application, such as Hue or a business intelligence tool, typically all requests are treated as coming from the same user. Impala supports delegation where users whose names you specify can delegate the execution of a query to another user. The query runs with the privileges of the delegated user, not the original authenticated user.

The name of the delegated user is passed using the HiveServer2 protocol configuration property impala.doas.user when the client connects to Impala.

When the client connects over HTTP, the doAs parameter can be specified in the HTTP path. For example:

/?doAs=delegated_user

Currently, the delegation feature is available only for Impala queries submitted through application interfaces such as Hue and BI tools. For example, Impala cannot issue queries using the privileges of the HDFS user.

To enable delegation:

Log in to the CDP web interface and navigate to the Data Warehouse service.
In the Data Warehouse service, click Virtual Warehouses in the left navigation panel.
Select the Impala Virtual Warehouse, click options for the warehouse you want to configure Proxy User.
Select Edit.
In the Configuration tab, click Impala Coordinator.
In the Proxy User Configuration field, type the a semicolon-separated list of key=value pairs of authorized proxy users to the user(s) they can impersonate.
The list of delegated users are delimited with a comma, e.g. hue=user1, user2.
Click Apply to save the changes.