Run as a Non-Default User
Audience: System Administrators
Content Summary: By default, the Immuta Partition servers will run as the
immuta
user. For clusters configured to use Kerberos, this means that you must have animmuta
principal available for Cloudera Manager to provision the service. If for some reason you do not have animmuta
principal available, you can change the user that the Immuta partition servers run as.This page describes the configuration changes that are needed to change the principal(s) that Immuta uses. The same principal can be used for both services, but that is not necessary. Just make sure the configuration options are consistent for all configuration options on the individual services.
Partition Server Configuration
The Immuta Spark Partition Servers are components that run on your CDH cluster. The following sections will walk you through configuring the various CDH components so that the Spark Partition Servers can run as a non-default user.
In the configuration for the Immuta
service, make the following updates:
- System User: Set to the system user that will be running Immuta.
- System Group: Set to the primary group of the user that will be running Immuta.
- Kerberos Principal: Set to the Kerberos principal of the user that will be running Immuta.
In the configuration for HDFS
, make the following updates:
Cluster-wide
Advanced Configuration Snippet (Safety Valve) forcore-site.xml
:- Set
immuta.spark.partition.generator.user
to the principal configured as the Kerberos Principal in theImmuta
service.
- Set
Immuta Web Service
The Immuta Web Service uses the configured Kerberos principal to impersonate users when running queries against various Kerberos-enabled databases. If you are using a non-default Kerberos principal for the Immuta Web Service, be sure to update the following values.
In the configuration for HDFS
, enter the following for
Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml
:
hadoop.proxyuser.<immuta service principal>.hosts
- Description: The configuration that allows the Immuta service principal to
proxy other hosts. Make sure to enter the appropriate principal in place of
<immuta service principal>
. - Value:
*
- Description: The configuration that allows the Immuta service principal to
proxy other hosts. Make sure to enter the appropriate principal in place of
hadoop.proxyuser.<immuta service principal>.users
- Description: The configuration that allows the Immuta service principal to
proxy end-users. Make sure to enter the appropriate principal in place of
<immuta service principal>
. - Value:
*
- Description: The configuration that allows the Immuta service principal to
proxy end-users. Make sure to enter the appropriate principal in place of
hadoop.proxyuser.<immuta service principal>.groups
- Description: The configuration that allows the Immuta service principal to
proxy user groups. Make sure to enter the appropriate principal in place of
<immuta service principal>
. - Value:
*
- Description: The configuration that allows the Immuta service principal to
proxy user groups. Make sure to enter the appropriate principal in place of
If the principal for the Immuta Web Service is different from the principal
used by the Immuta Partition Server, then be sure to add the Web Service
principal to immuta.permission.users.to.ignore
. In the HDFS
configuration
section for NameNode Advanced Configuration Snippet (Safety Valve) for
hdfs-site.xml
ensure that the user principal running the Immuta Web Service
is included in the comma-separated list of users set for
immuta.permission.users.to.ignore
.