Enable Drill Impersonation with Hive

To configure Drill impersonation to work with Hive impersonation in a secure or insecure MapR cluster:

  1. Modify the drill-env.sh and drill-override.conf files on each Drill node.
  2. Update the Hive storage plugin configuration in Drill.
  3. Restart Warden.

Prerequisites

The configurations described in this document have the following dependencies:

  1. Modify <DRILL_HOME>/conf/drill-env.sh to include the required environment variables on each Drill node.
    • In an insecure cluster, include the following environment variable:
      export MAPR_IMPERSONATION_ENABLED=true 
    • In a secure cluster, include the following environment variables:
      export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.client=true”
      export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Dmapr_sec_enabled=true -Dhadoop.login=maprsasl_keytab -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dmapr.library.flatclass"
      export MAPR_TICKETFILE_LOCATION=/opt/mapr/conf/mapruserticket
  2. Modify <DRILL_HOME>/conf/drill-override.conf file on each Drill node (in secure and insecure clusters) to enable impersonation in Drill, and set the maximum number of chained user hops that Drill allows. Add the following configuration properties to the drill.exe block in drill-override.conf:
    drill.exec: {
     cluster-id: "<drill_cluster_name>",
     zk.connect: "<hostname>:5181,<hostname>:5181,<hostname>:5181"
     impersonation: {
           enabled: true,
           max_chained_user_hops: 3
     }
    }
  3. Modify the Hive storage plugin configuration in the Drill Web UI based on the authorization and security scenario for the cluster. You can only access the Drill Web UI for a running Drillbit.
    Complete the following steps to modify the Hive storage plugin configuration:
    1. Navigate to http://<drillbit_hostname>:8047, and select the Storage tab.
    2. Click Update next to the hive option.
    3. In the configuration window, add the required properties based on the authorization type and security scenario:
      • Storage Based Authorization or No Authorization Enabled:
        • Add the following properties to the configuration:
          {
          "type": "hive",
          "enabled": true,
          "configProps": {
            "hive.metastore.uris": "thrift://<metastore_hostname>:9083",
            "fs.default.name": "maprfs:///",
            "hive.server2.enable.doAs": "true"
             }
          }
        • Add the following additional properties if the Hive metastore is configured with Kerberos; include a comma after each line except for the last:
          "hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>"
          "hive.metastore.sasl.enabled": "true"
      • SQL Standard Based Authorization:
        • Add the following properties to the configuration:
          {
          "type": "hive",
          "enabled": true,
          "configProps": {
            "hive.metastore.uris": " thrift://<metastore_hostname>:9083",
            "fs.default.name": "maprfs:///",
            "hive.security.authorization.enabled": "true",
            "hive.security.authenticator.manager": "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator",
            "hive.security.authorization.manager": "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory",
            "hive.server2.enable.doAs": "false",
            "hive.metastore.execute.setugi": "true"
           }
          }
        • Add the following additional properties if the Hive metastore is configured with Kerberos; include a comma after each line except for the last:
          "hive.metastore.kerberos.principal": "hive/<metastore_thrift_server>"
          "hive.metastore.sasl.enabled": "true"
  4. Issue the following command on all nodes to restart the Warden service:
    clush –a “service mapr-warden restart”