From user-return-26507-archive-asf-public=cust-asf.ponee.io@hive.apache.org Fri Dec 28 09:58:11 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id E8252180652 for ; Fri, 28 Dec 2018 09:58:10 +0100 (CET) Received: (qmail 60885 invoked by uid 500); 28 Dec 2018 08:58:09 -0000 Mailing-List: contact user-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hive.apache.org Delivered-To: mailing list user@hive.apache.org Received: (qmail 60875 invoked by uid 99); 28 Dec 2018 08:58:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Dec 2018 08:58:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E7992180D48 for ; Fri, 28 Dec 2018 08:58:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.798 X-Spam-Level: * X-Spam-Status: No, score=1.798 tagged_above=-999 required=6.31 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 4Ue5swDf49QB for ; Fri, 28 Dec 2018 08:58:06 +0000 (UTC) Received: from mail-qt1-f177.google.com (mail-qt1-f177.google.com [209.85.160.177]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 5D30F61040 for ; Fri, 28 Dec 2018 08:58:06 +0000 (UTC) Received: by mail-qt1-f177.google.com with SMTP id p17so22769844qtl.5 for ; Fri, 28 Dec 2018 00:58:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=2yCyKfBFe9Ez7fSxJwYSn9IW6Xw8dt4n99Zd2P5LDeM=; b=HH8qvnX9d0gP7u9M9DzSVa1TDLTLppdE+VuuE5VSlLS/c71lQwgf1mfRPPVg7aG4Dx zaG+gE/DszxhRA+YpsFdTXmPGBHloEXCs4C+EDZyAleILzM51sG4ogFv/BqDCCghOAhg e2pa0v4CUXk9n6t3bskjLjRCsJiZ/OX9AwbilYHVAc9Mc2nEVIpbzBZ0TkTR4rN3vet9 ThKPAI4Bs3RQs4+dgg62NYJB3nxVtLsisa/fBclZguAk3gOY3hcLEq5SrIZYJBVXp+VK Fd5rcvAbIUx3Si9oJJbmI0/5NusckChju6vx3KYdPLeUpSLN/7IFiyYUENAwdkDP761V QSVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2yCyKfBFe9Ez7fSxJwYSn9IW6Xw8dt4n99Zd2P5LDeM=; b=AUD6rXzyN7sU/8prJv0D4fMWVuudw8bnXPYHGPwUlum2JTdAYwks/s0xBPl7WOa6BO JWx/oM397ZT9iSd1TPWhIOc/OLUeIVzEmJw+Vqr6c7f3tAJycPWrUAU9hrOBeNC4g+FN uOql00F/JEbT5sagRmKTDk7wZJht6rB3qB0kouJlEg23POsb5F/KWMVCzasA2SnuBYjc 8JMiTAv0g0ZKmxIXhx/t3xcIA0lTBLu2xlFoGkdvJUw6hlT//9/AP2+zsNgh44PL37zv GsFF4vjAORTkw3Pz7XmDH4Xuaa8BYLIA0XdR2i5l/JPr0/1HzZAqv4nC5nF2YT77CLgH Sq7Q== X-Gm-Message-State: AJcUukc1HtE5kEC45SwKqKSL58pXz3ac9U555TD+ZgN/rNogbqzJEgEn WdAwSD0CHMTU+9dqcXFJtaAz7bE72wgb6hkYqaq4VO4Z X-Google-Smtp-Source: AFSGD/WREbe9b9E0gUqErIDWGk6wj8KxnrWSW6MFPZJUag+VtmWe4fUnLpvD/3Mqe4pPVcFxccCJph3qHZOrhYmb9fQ= X-Received: by 2002:aed:3b25:: with SMTP id p34mr24741878qte.310.1545987485946; Fri, 28 Dec 2018 00:58:05 -0800 (PST) MIME-Version: 1.0 From: mhd wrk Date: Fri, 28 Dec 2018 00:57:54 -0800 Message-ID: Subject: Configuring hive server to proxy the connecting user at the Hadoop level To: user@hive.apache.org Content-Type: multipart/alternative; boundary="000000000000ed5812057e1142b6" --000000000000ed5812057e1142b6 Content-Type: text/plain; charset="UTF-8" In my kerberosied environment the only way I can get the hive server to proxy a non Hadoop-level superuser at HDFS level is to use Trusted Delegation as explained here . According to the snippet below seems that there's a way to configure the server to proxy non superusers as well.Has anyone done this before? Do you know where I can find more information? HiveServer2 determines the identity of the connecting user from the > underlying authentication subsystem (Kerberos or LDAP). Any new session > started for this connection runs on behalf of this connecting user. If the > server is configured to proxy the user at the Hadoop level, then all > MapReduce jobs and HDFS accesses will be performed with the identity of the > connecting user. > thanks --000000000000ed5812057e1142b6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
In my kerberosied environment the only way I can get = the hive server to proxy a non Hadoop-level superuser at HDFS level is to u= se Trusted Delegation as explained here. According to the snippet below seems that there's= a way to configure the server to proxy non superusers as well.Has anyone d= one this before? Do you know where I can find more information?

=
HiveServer2 determines the ide= ntity of the connecting user from the underlying authentication subsystem (= Kerberos or LDAP). Any new session started for this connection runs on beha= lf of this connecting user. If the server is configured to proxy the user a= t the Hadoop level, then all MapReduce jobs and HDFS accesses will be perfo= rmed with the identity of the connecting user.


thanks

--000000000000ed5812057e1142b6--