Audience: System Administrators
Content Summary: By default, the Immuta Partition servers will run as the
immuta
user. For clusters configured to use Kerberos, this means that you must have animmuta
principal available for Cloudera Manager to provision the service. If for some reason you do not have animmuta
principal available, you can change the user that the Immuta partition servers run as.This page describes the configuration changes that are needed to change the principal(s) that Immuta uses. The same principal can be used for both services, but that is not necessary. Just make sure the configuration options are consistent for all configuration options on the individual services.
The Immuta Spark Partition Servers are components that run on your CDH cluster. The following sections will walk you through configuring the various CDH components so that the Spark Partition Servers can run as a non-default user.
In the configuration for the Immuta
service, make the following updates:
System User: Set to the system user that will be running Immuta.
System Group: Set to the primary group of the user that will be running Immuta.
Kerberos Principal: Set to the Kerberos principal of the user that will be running Immuta.
In the configuration for HDFS
, make the following updates:
Cluster-wide
Advanced Configuration Snippet (Safety Valve) for core-site.xml
:
Set immuta.spark.partition.generator.user
to the principal configured as the Kerberos Principal in the Immuta
service.
The Immuta Web Service uses the configured Kerberos principal to impersonate users when running queries against various Kerberos-enabled databases. If you are using a non-default Kerberos principal for the Immuta Web Service, be sure to update the following values.
In the configuration for HDFS
, enter the following for Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml
:
hadoop.proxyuser.<immuta service principal>.hosts
Description: The configuration that allows the Immuta service principal to proxy other hosts. Make sure to enter the appropriate principal in place of <immuta service principal>
.
Value: *
hadoop.proxyuser.<immuta service principal>.users
Description: The configuration that allows the Immuta service principal to proxy end-users. Make sure to enter the appropriate principal in place of <immuta service principal>
.
Value: *
hadoop.proxyuser.<immuta service principal>.groups
Description: The configuration that allows the Immuta service principal to proxy user groups. Make sure to enter the appropriate principal in place of <immuta service principal>
.
Value: *
If the principal for the Immuta Web Service is different from the principal used by the Immuta Partition Server, then be sure to add the Web Service principal to immuta.permission.users.to.ignore
. In the HDFS
configuration section for NameNode Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml
ensure that the user principal running the Immuta Web Service is included in the comma-separated list of users set for immuta.permission.users.to.ignore
.