Delegating Authentication to a Specific User
Some Hive Server 2 instances support the ability to delegate all operations against Hive to the specified user, rather than to the authenticated user for the connection.
To delegate all operations to a specified user:
- Set the
DelegationUIDconfiguration option to the name of the user to be delegated.
If the server returns an error message such as Failed to validate proxy privilege of [RealUser] for [DelegationUID], you may need to modify the server's core-site.xml configuration file, as follows:
- In the server's
core-site.xmlconfiguration file, add the following properties:hadoop.proxyuser.[RealUser].groups=*
hadoop.proxyuser.[RealUser].hosts=*
Where [RealUser] is the authenticated user for the connection.
- If you are using Kerberos authentication, then in the server's
core-site.xmlconfiguration file, add the following properties:hadoop.proxyuser.[Principal].groups=*
hadoop.proxyuser.[Principal].hosts=*
Where [Principal] is the primary Kerberos principal user. For example, if the primary Kerberos principal user is
kerbuser@example.com, replace [Principal] withkerbuser.
For more information on resolving this error, see your Hive Server documentation.