Delegating Authentication to a Specific User

Some Hive Server 2 instances support the ability to delegate all operations against Hive to the specified user, rather than to the authenticated user for the connection.

To delegate all operations to a specified user:

• Set the DelegationUID configuration option to the name of the user to be delegated.

If the server returns an error message such as Failed to validate proxy privilege of [RealUser] for [DelegationUID], you may need to modify the server's core-site.xml configuration file, as follows:

1. In the server's core-site.xml configuration file, add the following properties:

hadoop.proxyuser.[RealUser].groups=*

hadoop.proxyuser.[RealUser].hosts=*

Where [RealUser] is the authenticated user for the connection.

2. If you are using Kerberos authentication, then in the server's core-site.xml configuration file, add the following properties:

hadoop.proxyuser.[Principal].groups=*

hadoop.proxyuser.[Principal].hosts=*

Where [Principal] is the primary Kerberos principal user. For example, if the primary Kerberos principal user is kerbuser@example.com, replace [Principal] with kerbuser.

For more information on resolving this error, see your Hive Server documentation.

Related topics

• Configuring Authentication
• Authentication Mechanisms
• Using Kerberos
• Using User Name
• Using User Name And Password
• Using Windows Azure HDInsight Service
• Creating a Data Source Name
• Authentication Driver Configuration Options on page 1