Set Up Hadoop Impersonation¶
For Enterprise Steam to act on behalf of logged-in users when launching clusters on Hadoop/YARN, a Hadoop administrator has to allow Enterprise Steam to do so. This requires changes to Hadoop core-site.xml. Do not change core-site.xml manually, instead use Cloudera Manager, Ambari or similar tool that manages Hadoop configuration.
Hadoop administrator needs to add the following properties to core-site.xml:
<property>
<name>hadoop.proxyuser.SERVICEID.hosts</name>
<value>HOST</value>
</property>
<property>
<name>hadoop.proxyuser.SERVICEID.groups</name>
<value>*</value>
</property>
where:
SERVICEID
is the user ID of Kerberos principal that is associated with the Enterprise Steam Kerberos keytab or Enterprise Steam service ID (usuallysteam
)
HOST
is the hostname of the Enterprise Steam server. Wildcard (*
) is accepted.
The following is an example of valid core-site.xml changes to enable Enterprise Steam on steam.mycompany.loc
to impersonate any user:
<property>
<name>hadoop.proxyuser.SERVICEID.hosts</name>
<value>steam.mycompany.loc</value>
</property>
<property>
<name>hadoop.proxyuser.SERVICEID.groups</name>
<value>*</value>
</property>
If KMS is in use, Steam needs to be added as a proxyuser to kms-site.xml as well.
<property>
<name>hadoop.kms.proxyuser.SERVICEID.hosts</name>
<value>steam.mycompany.loc</value>
</property>
<property>
<name>hadoop.kms.proxyuser.SERVICEID.groups</name>
<value>*</value>
</property>
Additional information about these changes is available here: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html.
Set Up Impersonation In Cloudera Manager¶
Log in to Cloudera Maanager as the Hadoop administrator capable of changing Hadoop configuration.
Go to HDFS service.
Go to Configuration.
Search for
Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml
configuration.Add an entry with name
hadoop.proxyuser.SERVICEID.hosts
and valueHOST
as described in the previous section.Add an entry with name
hadoop.proxyuser.SERVICEID.groups
and value*
as described in the previous section.Save changes.
Deploy client configuration and restart the cluster.
Set Up Impersonation for Alluxio¶
To enable a steam
user to impersonate other groups, set the alluxio.master.security.impersonation.steam.groups
property, where steam
is the name of the Alluxio client user. The value is a comma-separated
list of groups and the wildcard value *
can be used to indicate all groups. Some examples:
alluxio.master.security.impersonation.steam.groups=group1,group2
the Alluxio client user
steam
is allowed to impersonate any users from groupsgroup1
andgroup2
alluxio.master.security.impersonation.steam.groups=*
the Alluxio client user
steam
is allowed to impersonate users from any group