About delegation users in CDW Private Cloud
Learn what delegation user is in Cloudera Data Warehouse (CDW), why it is needed, the supported characters for delegation password, and other related information.
The ability to specify an LDAP delegation user also allows you to freely use special characters in your LDAP Bind DN, as CDW no longer has to inherit and process the delegation user from the LDAP Bind DN.
You can change the delegation username and password even after activating the environment.
The following image shows the CDW Activation Settings page containing the Delegation Username and Delegation Password fields:
What a delegation user is in CDW
A delegation user is a proxy user needed to impersonate authorization requests from Hue and Data Visualization to the Impala coordinator. You must specify a delegation username and password during environment activation. The delegation user and password can authenticate users through an LDAP service account.
Due to a known issue (DWX-15537), it is not recommended to use the delegation user without impersonation in a remote client.
The following image shows the CDW Activate Environment screen containing the Delegation Username and Delegation Password fields:
Supported characters for delegation password in CDW
The ability to specify an LDAP delegation user also allows you to freely use special characters in your LDAP Bind DN, as CDW no longer has to inherit and process the delegation user from the LDAP Bind DN.
You can change the delegation username and password even after activating the environment.
FAQs on delegation users in CDW
- Is delegation user a mandatory parameter?
- Yes, a delegation user is required to authorize users wanting to connect to an Impala Virtual Warehouse (Impala coordinator) from Hue or Cloudera Data Visualization (CDV) instances. Hue uses LDAP authentication when connecting to the Impala coordinator pod. You must specify the delegation user while activating the CDW environment.
- How does a delegation user work?
- In CDW, the Impala Virtual Warehouse requires an existing LDAP user When you submit an Impala query from Hue or establish a data connection to an Impala Virtual Warehouse from CDV, the application requesting authorization uses the delegation user as a proxy user and impersonates the user who has logged into the application during the authentication process.
- Does the delegation user require any permissions defined in Ranger?
- No. Because the delegation user is only used as an Impala proxy user between the Impala coordinator and Hue or CDV, the delegation user does not require any specific Ranger permissions. Ranger authorization is always done with the impersonated user (that is a logged-in user) and not with the proxy user.
- Does the delegation user need any special privileges in Active Directory (AD)?
- No. The delegation user can be a regular read-only user in AD.
- Do I need to configure any hadoop.proxyuser settings on the base cluster?
- The hadoop.proxyuser settings are not related to the delegation user.
