User Impersonation with Kerberos Authentication
You can enable different users to run mappings in a Hadoop cluster that uses Kerberos authentication or connect to big data sources and targets that use Kerberos authentication. To enable different users to run mappings or connect to big data sources and targets, you must configure user impersonation.
You can configure user impersonation for the native or Hadoop environment.
Before you configure user impersonation, you must complete the following prerequisites:
- •Complete the tasks for running mappings in a Kerberos-enabled Hadoop environment.
- •Configure Kerberos authentication for the native or Hadoop environment.
- •If the Hadoop cluster uses MapR, create a proxy directory for the user who will impersonate other users.
If the Hadoop cluster does not use Kerberos authentication, you can specify a user name in the Hadoop connection to enable the Data Integration Service to impersonate that user.
If the Hadoop cluster uses Kerberos authentication, you must specify a user name in the Hadoop connection.
User Impersonation in the Hadoop Environment
To enable different users to run mapping and workflow jobs on a Hadoop cluster that uses Kerberos authentication, you must configure user impersonation in the Hadoop environment.
For example, you want to enable user Bob to run mappings and workflows on the Hadoop cluster that uses Kerberos authentication.
To enable user impersonation, you must complete the following steps:
- 1. In the Active Directory, enable delegation for the Service Principal Name for the Data Integration Service to enable Bob to run Hadoop jobs.
- 2. If the service principal name (SPN) is different from the impersonation user, grant read permission on Hive tables to the SPN user.
- 3. Specify Bob as the user name in the Hadoop connection.
User Impersonation in the Native Environment
To enable different users to run mappings that read or processes data from big data sources or targets that use Kerberos authentication, configure user impersonation for the native environment.
To enable user impersonation, you must complete the following steps:
- 1. Specify Kerberos authentication properties for the Data Integration Service.
- 2. Configure the execution options for the Data Integration Service.
Step 1. Specify the Kerberos Authentication Properties for the Data Integration Service
In the Data Integration Service properties, configure the properties that enable the Data Integration Service to connect to a Hadoop cluster that uses Kerberos authentication. Use the Administrator tool to set the Data Integration Service properties.
Description | Property |
|---|
Hadoop Kerberos Service Principal Name | Service Principal Name (SPN) of the Data Integration Service to connect to a Hadoop cluster that uses Kerberos authentication. Not required for the MapR distribution. |
Hadoop Kerberos Keytab | The file path to the Kerberos keytab file on the machine on which the Data Integration Service runs. Not required for the MapR distribution. |
Step 2. Configure the Execution Options for the Data Integration Service
To determine whether the Data Integration Service runs jobs in separate operating system processes or in one operating system process, configure the Launch Job Options property. Use the Administrator tool to configure the execution options for the Data Integration Service.
1. Click Edit to edit the Launch Job Options property in the execution options for the Data Integration Service properties.
2. Choose the launch job option.