Simple Impersonation with Datameer
The operating system user that starts Datameer is the user logged that runs all the different tasks within Datameer, no matter which user is signed into Datameer. The impersonation feature allows the Datameer administrator to let the Datameer users appear to be running the tasks, and data is previewed by the logged in user from HDFS sources.
Prerequisites
 The follow prerequisites are required to enable simple impersonation within Datameer.
- The Datameer users must also be operating system users. The user names needed to be mapped 1:1.
- All of the operating system users must be located within a common group.
The user running Datameer must be a superuser of HDFS. For more information, refer to the Apache Hadoop documentation.
Simple impersonation isn't supported by the Spark execution frameworks.
Configuring Simple ImpersonationÂ
Follow the steps to configure simple impersonation in Datameer:
- Log into Datameer as an administrator.
- Click on the Admin tab.
- Select Hadoop Cluster from the side menu.
- Click Edit to adjust the Hadoop cluster configurations.
- Select Enable Impersonation under Storage Settings.
- Click Save.
Running the Simple Impersonation Tool to Migrate Permissions on Existing Objects (Optional)
Datameer packages a tool located in the /bin/
folder named unsecure_hdfs_tool.sh
The user running Datameer must be a superuser of HDFS.
Follow the steps to begin running simple impersonation on Datameer:
- Stop Datameer.
Run the following command:
bin/unsecure_*.sh -u -g <Operating system group name with Datameer users>
- Â Start Datameer.
Simple Impersonation on MapR
Additional steps for those running MapR to enable simple impersonation:
Create a file (local file system)
 /opt/mapr/conf/proxy/mapr
 as user root .touch /opt/mapr/conf/proxy/mapr
Add a environment variable
_ MAPR_IMPERSONATION_ENABLED="true"
. In this case, a new line in the file_etc/das-env.sh.
export MAPR_IMPERSONATION_ENABLED="true"
Add the configuration inÂ
core-site.xml.
<property> <name>hadoop.proxyuser.mapr.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.mapr.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.root.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.root.hosts</name> <value>*</value> </property>
Expected Impersonation Behaviors
Refer to the following table to understand how simple impersonation affects the ownership of import jobs, file uploads, data links, workbooks, and export jobs. Note that the group permissions apply to the artifact, not the folders the artifacts are in.
Scenario | Owner in HDFS | Group in HDFS | Permissions for owner in HDFS | Permissions for group in HDFS | Owner of YARN application (when job is triggered manually) | Owner of YARN application (when job is triggered by schedule) | Preview data accessed as |
---|---|---|---|---|---|---|---|
Creating an artifact | Creator | Group selected, if none selected, the default Datameer group | Read and write | Only read | n/a | n/a | n/a |
Running a job | Creator | n/a | Read and write | Only read | Creator | Creator | Logged in user |
Generating preview data | Creator | Group selected, if none selected, the default Datameer group | Read and write | Only read | Creator | Creator | Logged in user |
Saving edited artifact (not as creator) | Creator | Group selected, if none selected, the default Datameer group | Read and write | Only read | Creator | Creator | Logged in user |
Updating permissions | Creator | Newly selected group | Read and write | Newly selected group and read permission only | Creator | Creator | Logged in user |