.. _impersonation:

Set Up Hadoop Impersonation
===========================

For Enterprise Steam to act on behalf of logged-in users when launching clusters on Hadoop/YARN, a Hadoop administrator has to allow Enterprise Steam to do so. This requires changes to Hadoop **core-site.xml**. Do not change **core-site.xml** manually, instead use Cloudera Manager, Ambari or similar tool that manages Hadoop configuration.

Hadoop administrator needs to add the following properties to **core-site.xml**: 

.. code-block:: xml

    <property>
         <name>hadoop.proxyuser.SERVICEID.hosts</name>
         <value>HOST</value>
    </property>
    <property>
         <name>hadoop.proxyuser.SERVICEID.groups</name>
         <value>*</value>
    </property>

where:

    - ``SERVICEID`` is the user ID of Kerberos principal that is associated with the Enterprise Steam Kerberos keytab or Enterprise Steam service ID (usually ``steam``)
    - ``HOST`` is the hostname of the Enterprise Steam server. Wildcard (``*``) is accepted.

The following is an example of valid **core-site.xml** changes to enable Enterprise Steam on ``steam.mycompany.loc`` to impersonate any user: 

.. code-block:: xml

    <property>
         <name>hadoop.proxyuser.SERVICEID.hosts</name>
         <value>steam.mycompany.loc</value>
    </property>
    <property>
         <name>hadoop.proxyuser.SERVICEID.groups</name>
         <value>*</value>
    </property>

If KMS is in use, Steam needs to be added as a proxyuser to **kms-site.xml** as well.

.. code-block:: xml

    <property>
         <name>hadoop.kms.proxyuser.SERVICEID.hosts</name>
         <value>steam.mycompany.loc</value>
    </property>
    <property>
         <name>hadoop.kms.proxyuser.SERVICEID.groups</name>
         <value>*</value>
    </property>


Additional information about these changes is available here: `https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html <https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html>`__.

Set Up Impersonation In Cloudera Manager
-----------------------------------------

1. Log in to Cloudera Maanager as the Hadoop administrator capable of changing Hadoop configuration.
2. Go to **HDFS** service.
3. Go to **Configuration**.
4. Search for ``Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml`` configuration.
5. Add an entry with name ``hadoop.proxyuser.SERVICEID.hosts`` and value ``HOST`` as described in the previous section.
6. Add an entry with name ``hadoop.proxyuser.SERVICEID.groups`` and value ``*`` as described in the previous section.
7. Save changes.
8. Deploy client configuration and restart the cluster.

Set Up Impersonation for Alluxio
--------------------------------

To enable a ``steam`` user to impersonate other groups, set the ``alluxio.master.security.impersonation.steam.groups``
property, where ``steam`` is the name of the Alluxio client user. The value is a comma-separated
list of groups and the wildcard value ``*`` can be used to indicate all groups. Some examples:

* ``alluxio.master.security.impersonation.steam.groups=group1,group2``

    * the Alluxio client user ``steam`` is allowed to impersonate any users from groups ``group1`` and ``group2``

* ``alluxio.master.security.impersonation.steam.groups=*``

    * the Alluxio client user ``steam`` is allowed to impersonate users from any group