Configuring Delegation on Impala using User Attributes

Using Delegation on Impala with User Attributes

This article instructs on how to impersonate user permissions on Cloudera Impala when connecting from Looker. Similar to pass-through. This allows for permissions within Impala to be present in looker, eliminating the ability to query protected data.

Please note this is not a tutorial on setting up impala, you must have access to configure the impala startup configuration for this to work. You also need administrative access to Looker in order to create or edit attributes/connections.

The Problem

When using databases with looker such as Cloudera impala, There are many reasons to have transactions via a specific user’s credentials instead of a service account

  • Tracking and Audit
  • Varying permissions by user that a service account will not suffice for

The Fix: Delegation

This can be accomplished using user specific credentials, which may not be available because it requires LDAP logins. When LDAP is not available, passwords are not in synch, or perhaps you are using Kerberos link, here is how to use user attributes to accomplish this task.

User attributes were released in version 4.4. They allow for a set of variables to be assigned for different users that can utilize different connections, filters or even injectable variables across the Looker Platform.

If you use LDAP authentication, and the username is the same login as the Impala login, there is nothign else to set up for the attributes. Looker will system assign that as an attribute (called ldap_user_id). Otherwise, you may need to set up an attribute for this task. To set these up, simply follow these instructions. Check the a user’s profile to see if they are configured correctly:

You may need to use the Cloudera Native driver for this task. Reach out to Looker support for help with this task.

On the Impala side, it is crucial you set up “delegation.” Read more about that here:
http://www.cloudera.com/documentation/enterprise/latest/topics/impala_delegation.html

The Impala startup would look something like this impalad --authorized_proxy_user_config 'looker_user=*' ... Assuming looker_user is the service account you connect looker to impala with, that user can now impersonate others.

Once that is done, we just need to append the following the the jdbc string with each connection: ;DelegationUID={{ _user_attributes['ldap_user_id'] }}

The final product looks like this:

Now when you review the JDBC String, you will notice the delegation parameter:
jdbc:hive2://localhost:21050/default?DelegationUID=efein

Also, if you check Impala logs, you will see usernames next to queries, not just the service account.

1 Like