User impersonation in CDW

User impersonation allows CDP Data Visualization to execute queries in Cloudera Data Warehouse (CDW) on behalf of logged in users through a trusted service account.

When setting up a Hive or Impala data connection within the same CDW environment as your CDP Data Visualization instance, the domain is considered secure and trusted and a default service account can be used for authentication. Impersonation in the Advanced settings is turned on by default. During setup, when a trusted connection is selected, the necessary information is auto-populated. These are passwordless connections, so only the username field is populated with the service user.

As a result of impersonation all incoming queries are evaluated against the data security policies of the users’ setup in Ranger. From the query logs and profiles, you can see the trusted service user appears as the Connected User for authentication. The CDP Data Visualization user appears as the Delegated User for authorization, and their permissions will be evaluated before query runtime to ensure they have access to the data they are requesting.