Configure User Impersonation for Access to Hive
This section describes how to configure Apache Zeppelin user impersonation for Apache Hive.
User impersonation runs Hive queries under the user ID associated with the Zeppelin session.
Kerberos-enabled Cluster
If Kerberos is enabled on the cluster, enable user impersonation as follows:
To configure the %jdbc
interpreter, complete the following steps:
- In Hive configuration settings, set
hive.server2.enable.doAs
totrue
. - In the Zeppelin UI, navigate to the
%jdbc
section of the Interpreter page. - Enable authentication via the Shiro configuration: specify authorization type,
keytab, and principal.
- Set
zeppelin.jdbc.auth.type
toKERBEROS
. - Set
zeppelin.jdbc.principal
to the value of the principal. - Set
zeppelin.jdbc.keytab.location
to the keytab location.
- Set
- Set
hive.url
to the URL for HiveServer2. Here is the general format:jdbc:hive2://HiveHost:10001/default;principal=hive/_HOST@HOST1.COM;hive.server2.proxy.user=testuser
The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:
jdbc:hive2://dkhdp253.dk:2181,dkhdp252.dk:2181,dkhdp251.dk:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
- Add a
hive.proxy.user.property
property and set its value tohive.server2.proxy.user
. - Click Save, then click restart to restart the interpreter.
For information about authenticating Zeppelin users through Active Directory or LDAP, see "Configuring Zeppelin Security" in this guide.