proxy user in impala-shell

[mhd wrk <mh...@gmail.com>]

Trying to use Impala in a kerberosied environment and my observation is
that when queries are submitted via impala-shell requests are treated as
coming from kerberose service account running the service. Is there a way
to pass a proxy user instead.

As an example, in Hive Beeline, we achieve this by using a 'connect'
command as below:

!connect jdbc:hive2://cluster:10000/;principal=hive/_HOST@example.COM;*hive.server2.proxy.user=admin@example.com
<ad...@example.com>*

Re: proxy user in impala-shell

[Fredy Wijaya <fw...@cloudera.com>]

This is an example how to set a proxy user using Impyla (
https://github.com/cloudera/impyla)

>>> import impala.dbapi as impyla
>>> c = impyla.connect(host='localhost', port='21050')
>>> c.cursor(user='foo', configuration={'impala.doas.user': 'bar'})


On Wed, Dec 19, 2018 at 6:32 PM Shant Hovsepian <sh...@arcadiadata.com>
wrote:

> Try DelegationUID=admin instead
>
> On Wed, Dec 19, 2018, 7:08 PM mhd wrk <mh...@gmail.com> wrote:
>
>> Changed client to Beeline with the following JDBC URL
>>
>>
>> jdbc:impala://cluster:21050/;AuthMech=1;KrbRealm=example.COM;KrbHostFQDN=cluster;KrbServiceName=impala;impala.doas.user=admin@example.COM
>>
>> It fails complaining
>>
>> AnalysisException: Syntax error in line 1:
>> SET impala.doas.user=admin@example.COM
>>
>> Is there any specific settings need to be set for this working?
>>
>>
>>
>> On Wed, Dec 19, 2018 at 11:47 AM Fredy Wijaya <fw...@cloudera.com>
>> wrote:
>>
>>> Impala supports proxy user via HS2:
>>> https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L321.
>>> If you use any HS2 client, you should be able to set the proxy user.
>>> Unfortunately, Impala shell still uses Beeswax, which has no support for
>>> proxy user. There's a JIRA to migrate Impala shell to HS2:
>>> https://issues.apache.org/jira/browse/IMPALA-7290.
>>>
>>> On Wed, Dec 19, 2018 at 12:31 PM mhd wrk <mh...@gmail.com> wrote:
>>>
>>>> Trying to use Impala in a kerberosied environment and my observation is
>>>> that when queries are submitted via impala-shell requests are treated as
>>>> coming from kerberose service account running the service. Is there a way
>>>> to pass a proxy user instead.
>>>>
>>>> As an example, in Hive Beeline, we achieve this by using a 'connect'
>>>> command as below:
>>>>
>>>> !connect jdbc:hive2://cluster:10000/;principal=hive/_HOST@example.COM;*hive.server2.proxy.user=admin@example.com
>>>> <ad...@example.com>*
>>>>
>>>

Re: proxy user in impala-shell

[mhd wrk <mh...@gmail.com>]

DelegationUID fixes the syntax error

On Wed, Dec 19, 2018 at 4:32 PM Shant Hovsepian <sh...@arcadiadata.com>
wrote:

> Try DelegationUID=admin instead
>
> On Wed, Dec 19, 2018, 7:08 PM mhd wrk <mh...@gmail.com> wrote:
>
>> Changed client to Beeline with the following JDBC URL
>>
>>
>> jdbc:impala://cluster:21050/;AuthMech=1;KrbRealm=example.COM;KrbHostFQDN=cluster;KrbServiceName=impala;impala.doas.user=admin@example.COM
>>
>> It fails complaining
>>
>> AnalysisException: Syntax error in line 1:
>> SET impala.doas.user=admin@example.COM
>>
>> Is there any specific settings need to be set for this working?
>>
>>
>>
>> On Wed, Dec 19, 2018 at 11:47 AM Fredy Wijaya <fw...@cloudera.com>
>> wrote:
>>
>>> Impala supports proxy user via HS2:
>>> https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L321.
>>> If you use any HS2 client, you should be able to set the proxy user.
>>> Unfortunately, Impala shell still uses Beeswax, which has no support for
>>> proxy user. There's a JIRA to migrate Impala shell to HS2:
>>> https://issues.apache.org/jira/browse/IMPALA-7290.
>>>
>>> On Wed, Dec 19, 2018 at 12:31 PM mhd wrk <mh...@gmail.com> wrote:
>>>
>>>> Trying to use Impala in a kerberosied environment and my observation is
>>>> that when queries are submitted via impala-shell requests are treated as
>>>> coming from kerberose service account running the service. Is there a way
>>>> to pass a proxy user instead.
>>>>
>>>> As an example, in Hive Beeline, we achieve this by using a 'connect'
>>>> command as below:
>>>>
>>>> !connect jdbc:hive2://cluster:10000/;principal=hive/_HOST@example.COM;*hive.server2.proxy.user=admin@example.com
>>>> <ad...@example.com>*
>>>>
>>>

Re: proxy user in impala-shell

[Shant Hovsepian <sh...@arcadiadata.com>]

Try DelegationUID=admin instead

On Wed, Dec 19, 2018, 7:08 PM mhd wrk <mh...@gmail.com> wrote:

> Changed client to Beeline with the following JDBC URL
>
>
> jdbc:impala://cluster:21050/;AuthMech=1;KrbRealm=example.COM;KrbHostFQDN=cluster;KrbServiceName=impala;impala.doas.user=admin@example.COM
>
> It fails complaining
>
> AnalysisException: Syntax error in line 1:
> SET impala.doas.user=admin@example.COM
>
> Is there any specific settings need to be set for this working?
>
>
>
> On Wed, Dec 19, 2018 at 11:47 AM Fredy Wijaya <fw...@cloudera.com>
> wrote:
>
>> Impala supports proxy user via HS2:
>> https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L321.
>> If you use any HS2 client, you should be able to set the proxy user.
>> Unfortunately, Impala shell still uses Beeswax, which has no support for
>> proxy user. There's a JIRA to migrate Impala shell to HS2:
>> https://issues.apache.org/jira/browse/IMPALA-7290.
>>
>> On Wed, Dec 19, 2018 at 12:31 PM mhd wrk <mh...@gmail.com> wrote:
>>
>>> Trying to use Impala in a kerberosied environment and my observation is
>>> that when queries are submitted via impala-shell requests are treated as
>>> coming from kerberose service account running the service. Is there a way
>>> to pass a proxy user instead.
>>>
>>> As an example, in Hive Beeline, we achieve this by using a 'connect'
>>> command as below:
>>>
>>> !connect jdbc:hive2://cluster:10000/;principal=hive/_HOST@example.COM;*hive.server2.proxy.user=admin@example.com
>>> <ad...@example.com>*
>>>
>>

Re: proxy user in impala-shell

[mhd wrk <mh...@gmail.com>]

Changed client to Beeline with the following JDBC URL

jdbc:impala://cluster:21050/;AuthMech=1;KrbRealm=example.COM;KrbHostFQDN=cluster;KrbServiceName=impala;impala.doas.user=admin@example.COM

It fails complaining

AnalysisException: Syntax error in line 1:
SET impala.doas.user=admin@example.COM

Is there any specific settings need to be set for this working?



On Wed, Dec 19, 2018 at 11:47 AM Fredy Wijaya <fw...@cloudera.com> wrote:

> Impala supports proxy user via HS2:
> https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L321.
> If you use any HS2 client, you should be able to set the proxy user.
> Unfortunately, Impala shell still uses Beeswax, which has no support for
> proxy user. There's a JIRA to migrate Impala shell to HS2:
> https://issues.apache.org/jira/browse/IMPALA-7290.
>
> On Wed, Dec 19, 2018 at 12:31 PM mhd wrk <mh...@gmail.com> wrote:
>
>> Trying to use Impala in a kerberosied environment and my observation is
>> that when queries are submitted via impala-shell requests are treated as
>> coming from kerberose service account running the service. Is there a way
>> to pass a proxy user instead.
>>
>> As an example, in Hive Beeline, we achieve this by using a 'connect'
>> command as below:
>>
>> !connect jdbc:hive2://cluster:10000/;principal=hive/_HOST@example.COM;*hive.server2.proxy.user=admin@example.com
>> <ad...@example.com>*
>>
>

Re: proxy user in impala-shell

[Fredy Wijaya <fw...@cloudera.com>]

Impala supports proxy user via HS2:
https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L321.
If you use any HS2 client, you should be able to set the proxy user.
Unfortunately, Impala shell still uses Beeswax, which has no support for
proxy user. There's a JIRA to migrate Impala shell to HS2:
https://issues.apache.org/jira/browse/IMPALA-7290.

On Wed, Dec 19, 2018 at 12:31 PM mhd wrk <mh...@gmail.com> wrote:

> Trying to use Impala in a kerberosied environment and my observation is
> that when queries are submitted via impala-shell requests are treated as
> coming from kerberose service account running the service. Is there a way
> to pass a proxy user instead.
>
> As an example, in Hive Beeline, we achieve this by using a 'connect'
> command as below:
>
> !connect jdbc:hive2://cluster:10000/;principal=hive/_HOST@example.COM;*hive.server2.proxy.user=admin@example.com
> <ad...@example.com>*
>