- Direct proxy access for privileged Hadoop users (HIVE-5155). This enables a privileged user to directly specify an alternate session user during the connection. If the connecting user has Hadoop level privilege to impersonate the requested userid, then HiveServer2 will run the session as that requested user.
- Delegation token based connection for Oozie (OOZIE-1457). This is the common mechanism for Hadoop ecosystem components. The proxy Proxy user privileges in hadoop the Hadoop ecosystem are associated with both user names and hosts. IeThat is, the privilege is available for certain users from certain hosts. Delegation tokens in hive Hive are meant to be used if you are connecting from one authorized (blessed) machine and later you need to make a connection from another non-blessed machinedmachine. You get the delegation token from a blessed machine and connect using the delegation token from a non-blessed machine. The primary use case is Oozie, which gets a delegation token from the server machine and then gets another connection from a Hadoop task node.
If you are only making a jdbc JDBC connection as a privileged user from a single blessed machine, the then direct proxy access is the simpler approach. You can just pass the user you need to impersonate in jdbc url using hiveimpersonate in the JDBC URL by using the hive.server2.proxy.user=<user> parameter in jdbc url. <user> parameter.
See examples in ProxyAuthTest.java.
The other way is to use a pre-authenticated Kerberos Subject (see HIVE-6486). In this method, starting with Hive 0.13.0 the Hive JDBC client can use a pre-authenticated subject to authenticate to HiveServer2. This enables a middleware system to run queries as the user running the client.