Set Up Hadoop Impersonation

For Enterprise Steam to act on behalf of logged-in users when launching clusters on Hadoop/YARN, a Hadoop administrator has to allow Enterprise Steam to do so. This requires changes to Hadoop core-site.xml. Do not change core-site.xml manually, instead use Cloudera Manager, Ambari or similar tool that manages Hadoop configuration.

Hadoop administrator needs to add the following properties to core-site.xml:

<property>
     <name>hadoop.proxyuser.SERVICEID.hosts</name>
     <value>HOST</value>
</property>
<property>
     <name>hadoop.proxyuser.SERVICEID.groups</name>
     <value>*</value>
</property>

where:

  • SERVICEID is the user ID of Kerberos principal that is associated with the Enterprise Steam Kerberos keytab or Enterprise Steam service ID (usually steam)

  • HOST is the hostname of the Enterprise Steam server. Wildcard (*) is accepted.

The following is an example of valid core-site.xml changes to enable Enterprise Steam on steam.mycompany.loc to impersonate any user:

<property>
     <name>hadoop.proxyuser.SERVICEID.hosts</name>
     <value>steam.mycompany.loc</value>
</property>
<property>
     <name>hadoop.proxyuser.SERVICEID.groups</name>
     <value>*</value>
</property>

If KMS is in use, Steam needs to be added as a proxyuser to kms-site.xml as well.

<property>
     <name>hadoop.kms.proxyuser.SERVICEID.hosts</name>
     <value>steam.mycompany.loc</value>
</property>
<property>
     <name>hadoop.kms.proxyuser.SERVICEID.groups</name>
     <value>*</value>
</property>

Additional information about these changes is available here: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html.

Set Up Impersonation In Cloudera Manager

  1. Log in to Cloudera Maanager as the Hadoop administrator capable of changing Hadoop configuration.

  2. Go to HDFS service.

  3. Go to Configuration.

  4. Search for Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml configuration.

  5. Add an entry with name hadoop.proxyuser.SERVICEID.hosts and value HOST as described in the previous section.

  6. Add an entry with name hadoop.proxyuser.SERVICEID.groups and value * as described in the previous section.

  7. Save changes.

  8. Deploy client configuration and restart the cluster.

Set Up Impersonation for Alluxio

To enable a steam user to impersonate other groups, set the alluxio.master.security.impersonation.steam.groups property, where steam is the name of the Alluxio client user. The value is a comma-separated list of groups and the wildcard value * can be used to indicate all groups. Some examples:

  • alluxio.master.security.impersonation.steam.groups=group1,group2

    • the Alluxio client user steam is allowed to impersonate any users from groups group1 and group2

  • alluxio.master.security.impersonation.steam.groups=*

    • the Alluxio client user steam is allowed to impersonate users from any group