Skip to content

You are viewing documentation for Immuta version 2023.3.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Run as a Non-Default User

Audience: System Administrators

Content Summary: By default, the Immuta Partition servers will run as the immuta user. For clusters configured to use Kerberos, this means that you must have an immuta principal available for Cloudera Manager to provision the service. If for some reason you do not have an immuta principal available, you can change the user that the Immuta partition servers run as.

This page describes the configuration changes that are needed to change the principal(s) that Immuta uses. The same principal can be used for both services, but that is not necessary. Just make sure the configuration options are consistent for all configuration options on the individual services.

Partition Server Configuration

The Immuta Spark Partition Servers are components that run on your CDH cluster. The following sections will walk you through configuring the various CDH components so that the Spark Partition Servers can run as a non-default user.

In the configuration for the Immuta service, make the following updates:

  • System User: Set to the system user that will be running Immuta.
  • System Group: Set to the primary group of the user that will be running Immuta.
  • Kerberos Principal: Set to the Kerberos principal of the user that will be running Immuta.

In the configuration for HDFS, make the following updates:

  • Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml:
    • Set immuta.spark.partition.generator.user to the principal configured as the Kerberos Principal in the Immuta service.

Immuta Web Service

The Immuta Web Service uses the configured Kerberos principal to impersonate users when running queries against various Kerberos-enabled databases. If you are using a non-default Kerberos principal for the Immuta Web Service, be sure to update the following values.

In the configuration for HDFS, enter the following for Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml:

  • hadoop.proxyuser.<immuta service principal>.hosts
    • Description: The configuration that allows the Immuta service principal to proxy other hosts. Make sure to enter the appropriate principal in place of <immuta service principal>.
    • Value: *
  • hadoop.proxyuser.<immuta service principal>.users
    • Description: The configuration that allows the Immuta service principal to proxy end-users. Make sure to enter the appropriate principal in place of <immuta service principal>.
    • Value: *
  • hadoop.proxyuser.<immuta service principal>.groups
    • Description: The configuration that allows the Immuta service principal to proxy user groups. Make sure to enter the appropriate principal in place of <immuta service principal>.
    • Value: *

If the principal for the Immuta Web Service is different from the principal used by the Immuta Partition Server, then be sure to add the Web Service principal to immuta.permission.users.to.ignore. In the HDFS configuration section for NameNode Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml ensure that the user principal running the Immuta Web Service is included in the comma-separated list of users set for immuta.permission.users.to.ignore.