Configuring Proxy Users to Access HDFS

Hadoop allows you to configure proxy users to submit jobs or access HDFS on behalf of other users; this is called impersonation. When you enable impersonation, any jobs submitted using a proxy are executed with the impersonated user's existing privilege levels rather than those of a superuser (such as hdfs).

All proxy users are configured in one location, core-site.xml, for Hadoop administrators to implement centralized access control.

To configure proxy users, set the hadoop.proxyuser.<proxy_user>.hosts, hadoop.proxyuser.<proxy_group>.groups, and hadoop.proxyuser.<proxy_user>.users in core-site.xml properties.

For example, to allow user alice to impersonate a user belonging to group_a and group_b, set hadoop.proxyuser.<proxy_group>.groups as follows:

   <property>
     <name>hadoop.proxyuser.alice.groups</name>
     <value>group_a,group_b</value>
   </property>

To limit the hosts from which impersonated connections are allowed, use hadoop.proxyuser.<proxy_user>.hosts. For example, to allow user alice impersonated connections only from host_a and host_b:

<property>
   <name>hadoop.proxyuser.alice.hosts</name>
   <value>host_a,host_b</value>
</property>

If the configuration properties described are not present, impersonation is not allowed and connections will fail.

For looser restrictions, use a wildcard (*) to allow impersonation from any host and of any user. For example, to allow user bob to impersonate any user belonging to any group, and from any host, set the properties as follows:

  <property>
    <name>hadoop.proxyuser.bob.hosts</name>
    <value>*</value>
  </property>
  <property>
    <name>hadoop.proxyuser.bob.groups</name>
    <value>*</value>
  </property>

The hadoop.proxyuser.<proxy_user>.hosts property also accepts comma-separated lists of IP addresses, IP address ranges in CIDR format, or host names. For example, to allow user kate access from hosts in the range 10.222.0.0-15 and 10.113.221.221, to impersonate user_a and user_b, set the proxy user properties as follows:

<property>
     <name>hadoop.proxyuser.super.hosts</name>
     <value>10.222.0.0/16,10.113.221.221</value>
</property>
<property>
     <name>hadoop.proxyuser.super.users</name>
     <value>user1,user2</value>
</property>

note

If you require proxy user to be setup on HTTPFS, you also need to configure them through the safety valve for the httpfs-site.xml. The properties required are the same as for the general proxy user setup, only they are prefixed with httpfs instead of hadoop. For example,

  <property>
    <name>httpfs.proxyuser.#USER#.hosts</name>
    <value>*</value>
    <description>
      List of hosts the '#USER#' user is allowed to perform 'doAs'
      operations.

      The '#USER#' must be replaced with the username o the user who is
      allowed to perform 'doAs' operations.

      The value can be the '*' wildcard or a list of hostnames.

      For multiple users copy this property and replace the user name
      in the property name.
    </description>
  </property>

  <property>
    <name>httpfs.proxyuser.#USER#.groups</name>
    <value>*</value>
    <description>
      List of groups the '#USER#' user is allowed to impersonate users
      from to perform 'doAs' operations.

      The '#USER#' must be replaced with the username o the user who is
      allowed to perform 'doAs' operations.

      The value can be the '*' wildcard or a list of groups.

      For multiple users copy this property and replace the user name
      in the property name.
    </description>
  </property>

The content of the properties should be the same as for the hadoop equivalent. For HTTPFS, you need to go into HttpFS Advanced Configuration Snippet (Safety Valve) for httpfs-site.xml.