One way to mitigate the problem of multi-user scenarios is with secure proxy users (see HIVE-5155). Starting in Hive 0.13.0, support for secure proxy users has two components:
- Delegation token based connection for Oozie (OOZIE-1457). This is the common mechanism for Hadoop ecosystem components.
- Direct proxy access for privileged Hadoop users (HIVE-5155). This enables a privileged user to directly specify an alternate session user during the connection. If the connecting user has Hadoop level privilege to impersonate the requested userid, then HiveServer2 will run the session as that requested user.
- Delegation token based connection for Oozie (OOZIE-1457). This is the common mechanism for Hadoop ecosystem components. The proxy user privileges in hadoop ecosystem are associated with both user names and hosts. Ie, the privilege is available for certain users from certain hosts. Delegation tokens in hive are meant to be used if you are connecting from one authorized (blessed) machine and later you need to make a connection from another non-blessed machined. You get the delegation token from blessed machine and connect using the delegation token from a non blessed machine. The primary use case is Oozie , which gets delegation token from the server machine and then gets another connection from a Hadoop task node.If you are only making a jdbc connection as privileged user from a single blessed machine, the direct proxy access is the simpler approach. You can just pass the user you need to impersonate in jdbc url using hive.server2.proxy.user=<user> parameter in jdbc url.
See examples in ProxyAuthTest.java
The other way is to use a pre-authenticated Kerberos Subject (see HIVE-6486). In this method, starting with Hive 0.13.0 the Hive JDBC client can use a pre-authenticated subject to authenticate to HiveServer2. This enables a middleware system to run queries as the user running the client.