Configure User Impersonation for Access to Hive

This section describes how to configure Apache Zeppelin user impersonation for Apache Hive.

User impersonation runs Hive queries under the user ID associated with the Zeppelin session.

Kerberos-enabled Cluster

If Kerberos is enabled on the cluster, enable user impersonation as follows:

To configure the %jdbc interpreter, complete the following steps:

  1. In Hive configuration settings, set hive.server2.enable.doAs to true.
  2. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.
  3. Enable authentication via the Shiro configuration: specify authorization type, keytab, and principal.
    1. Set zeppelin.jdbc.auth.type to KERBEROS.
    2. Set zeppelin.jdbc.principal to the value of the principal.
    3. Set zeppelin.jdbc.keytab.location to the keytab location.
  4. Set hive.url to the URL for HiveServer2. (On an Ambari-managed cluster you can find the URL under Hive > HiveServer2 JDBC URL.) Here is the general format:
    jdbc:hive2://HiveHost:10001/default;principal=hive/_HOST@HOST1.COM;hive.server2.proxy.user=testuser

    The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:

    jdbc:hive2://dkhdp253.dk:2181,dkhdp252.dk:2181,dkhdp251.dk:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
  5. Add a hive.proxy.user.property property and set its value tohive.server2.proxy.user.
  6. Click Save, then click restart to restart the interpreter.

For information about authenticating Zeppelin users through Active Directory or LDAP, see "Configuring Zeppelin Security" in this guide.