Big Data Management Security Guide > User Impersonation with Kerberos Authentication > User Impersonation in the Native Environment
  

User Impersonation in the Native Environment

To enable different users to run mappings that read or processes data from big data sources or targets that use Kerberos authentication, configure user impersonation for the native environment.
For example, the HypoStores administrator wants to enable user Bob to run mappings that read and process data from Hive and HBase sources and HDFS targets that use Kerberos authentication.
To enable user impersonation, you must complete the following steps:
  1. 1. Login to the Kerberos realm.
  2. 2. Specify Kerberos authentication properties for the Data Integration Service.
  3. 3. Configure the execution options for the Data Integration Service.
  4. 4. Specify the URL for the Hadoop cluster in the Hive, HBase, or HDFS connection.
  5. 5. Configure the mapping impersonation property that enables user Bob to run the mapping in the native environment.

Step 1. Login to the Kerberos Realm

Use the SPN and keytab of the Data Integration Service user to login to the Kerberos realm on the machine that hosts the KDC server.

Step 2. Specify the Kerberos Authentication Properties for the Data Integration Service

In the Data Integration Service properties, configure the properties that enable the Data Integration Service to connect to a Hive, HBase, or HDFS sources and targets that use Kerberos authentication.
Configure the following properties:
Hadoop Kerberos Service Principal Name
Service Principal Name (SPN) of the Data Integration Service to connect to a Hadoop cluster that uses Kerberos authentication.
Enter the property in the following format:
<princ_name>
For example, enter the following value:
joe/domain12345@MY-REALM
For example, enter the following value:
joe/domain12345@MY-REALM
Hadoop Kerberos Keytab
Path to the Kerberos keytab file on the machine on which the Data Integration Service runs.
Enter the property in the following format:
<keytab_path>
For example, enter the following path:
<Informatica Big Data Management Server Installation Directory>/isp/config/keys/infa_hadoop.keytab

Step 3. Configure the Execution Options for the Data Integration Service

To determine whether the Data Integration Service runs jobs in separate operating system processes or in one operating system process, configure the Launch Job Options property. Use the Administrator tool to configure the execution options for the Data Integration Service.
    1. Click Edit to edit the Launch Job Options property in the execution options for the Data Integration Service properties.
    2. Choose the launch job option.

Step 4. Specify the URL for the Hadoop Cluster in the Connection Properties

In the Administrator or Developer tool, specify the URL for the Hadoop cluster on which the Hive, HBase, or HDFS source or target resides. Configure the Hive, HBase, or HDFS connection properties to specify the URL for the Hadoop cluster.
In the Hive connection, configure the properties to access Hive as a source or a target.
In the HBase connection, configure the Kerberos authentication properties.
In the HDFS connection, configure the NameNode URI property.

Step 5. Configure the Mapping Impersonation Property

In the Developer tool, configure the mapping impersonation property in the native environment that enables another user to run mappings that read or process data from big data sources that use Kerberos authentication.
    1. Launch the Developer tool and open the mapping that you want to run.
    The mapping opens in the editor.
    2. Click the Run-time tab.
    3. Select Native as the execution environment.
    4. To enable another user to run the mapping, click Mapping Impersonation User Name and enter the value in the following format:
    <Hadoop service name>/<Hostname>@<YOUR-REALM>.
    Where
    The following special characters can only be used as delimiters: '/' and '@'.
    5. Right-click an empty area in the editor and click Run Mapping.