About User Delegation

You can use user delegation to run queries on behalf of Zoomdata users using a single set of credentials for some Zoomdata connectors. This allows you to share a single connection configuration among all users. User delegation can be established on a per-user or a per-group basis.

User delegation is also known as user proxies, user attribute pass-through, or user impersonation.

User delegation is currently supported by the following Zoomdata connectors: Apache Drill, Cloudera Impala, Cloudera Search, and Hive. The Zoomdata Oracle connector supports user delegation only via user credential pass-through.

The Zoomdata supervisors enables user delegation via a custom user attribute. Zoomdata administrators apply user delegation to the data connection definition for a data source.

Applying user delegation to a Zoomdata data source connection definition involves setting the Do As User parameter in the connection definition and setting up proxy user features in your data store. Any authentication mechanism (Kerberos or LDAP) and group mapping (file system or LDAP-based) method can be used by the data store or Zoomdata, as long as the user name assigned to the Do As User connector parameter is allowed appropriate authorizations (delegation) in the data store configuration.

User delegation processing is depicted in the following diagram.

User delegation occurs in this manner:

  1. The Zoomdata supervisor or administrator assigns any LDAP attribute (for example, cn, sAMAccountName, name) to a Zoomdata custom user attribute. This should be provided by your data store administrator. The only requirement is that this attribute must match the configuration in Sentry. See Enabling User Delegation.

    The Zoomdata custom user attribute is referenced by its name, prefaced by the word User. For example, if your Zoomdata custom user attribute is named XXXUserName, you would reference it as User.XXXUserName.

  2. The Zoomdata administrator references the custom user attribute in the appropriate data source connection definition using the connection's Do As User box. For example:

    See Connection Tab for information about the Connection tab in the data source connection definition.

  3. When a user submits a query using the data source, the Zoomdata connector sends the user identified by the Do As User parameter (or as interpreted by the setting in that parameter) to the data store when it connects on behalf of the query.

    Assuming user proxy (user delegation) features are set up properly on the data store, the data store runs the query on behalf of the user. For information on setting up user proxy, user impersonation, or user delegation features in each data store, see the following links.

    Data Store User Proxy Setup Links
    Apache Drill
    Cloudera Impala
    Cloudera Search