.. _impersonation:
Set Up Hadoop Impersonation
===========================
For Enterprise Steam to act on behalf of logged-in users when launching clusters on Hadoop/YARN, a Hadoop administrator has to allow Enterprise Steam to do so. This requires changes to Hadoop **core-site.xml**. Do not change **core-site.xml** manually, instead use Cloudera Manager, Ambari or similar tool that manages Hadoop configuration.
Hadoop administrator needs to add the following properties to **core-site.xml**:
.. code-block:: xml
hadoop.proxyuser.SERVICEID.hosts
HOST
hadoop.proxyuser.SERVICEID.groups
*
where:
- ``SERVICEID`` is the user ID of Kerberos principal that is associated with the Enterprise Steam Kerberos keytab or Enterprise Steam service ID (usually ``steam``)
- ``HOST`` is the hostname of the Enterprise Steam server. Wildcard (``*``) is accepted.
The following is an example of valid **core-site.xml** changes to enable Enterprise Steam on ``steam.mycompany.loc`` to impersonate any user:
.. code-block:: xml
hadoop.proxyuser.SERVICEID.hosts
steam.mycompany.loc
hadoop.proxyuser.SERVICEID.groups
*
If KMS is in use, Steam needs to be added as a proxyuser to **kms-site.xml** as well.
.. code-block:: xml
hadoop.kms.proxyuser.SERVICEID.hosts
steam.mycompany.loc
hadoop.kms.proxyuser.SERVICEID.groups
*
Additional information about these changes is available here: `https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html `__.
Set Up Impersonation In Cloudera Manager
-----------------------------------------
1. Log in to Cloudera Maanager as the Hadoop administrator capable of changing Hadoop configuration.
2. Go to **HDFS** service.
3. Go to **Configuration**.
4. Search for ``Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml`` configuration.
5. Add an entry with name ``hadoop.proxyuser.SERVICEID.hosts`` and value ``HOST`` as described in the previous section.
6. Add an entry with name ``hadoop.proxyuser.SERVICEID.groups`` and value ``*`` as described in the previous section.
7. Save changes.
8. Deploy client configuration and restart the cluster.
Set Up Impersonation for Alluxio
--------------------------------
To enable a ``steam`` user to impersonate other groups, set the ``alluxio.master.security.impersonation.steam.groups``
property, where ``steam`` is the name of the Alluxio client user. The value is a comma-separated
list of groups and the wildcard value ``*`` can be used to indicate all groups. Some examples:
* ``alluxio.master.security.impersonation.steam.groups=group1,group2``
* the Alluxio client user ``steam`` is allowed to impersonate any users from groups ``group1`` and ``group2``
* ``alluxio.master.security.impersonation.steam.groups=*``
* the Alluxio client user ``steam`` is allowed to impersonate users from any group