Apply User Delegation to a Connection

Applying user delegation to a Composer data source connection definition involves setting the Do As User parameter in the connection definition and setting up proxy user features in your data store. Any authentication mechanism (Kerberos or LDAP) and group mapping (file system or LDAP-based) method can be used by the data store or Composer, as long as the user name assigned to the Do As User connector parameter is allowed appropriate authorizations (delegation) in the data store configuration.

The supervisor enables user delegation via a custom user attribute. Administrators apply user delegation to the data connection definition for a data source.

User delegation processing is depicted in the following diagram.

User delegation occurs in this manner:

  1. The Composer supervisor or administrator assigns any LDAP attribute (for example, cn, sAMAccountName, name) to a Composer custom user attribute. This should be provided by your data store administrator. The only requirement is that this attribute must match the configuration in Sentry. See Enable User Delegation.

    The Composer custom user attribute is referenced by its name, prefaced by the word User. For example, if your Composer custom user attribute is named XXXUserName, you would reference it as User.XXXUserName.

  2. The Composer administrator references the custom user attribute in the appropriate data source connection definition using the connection's Do As User box. For example:

    See Connection Tab for information about the Connection tab in the data source connection definition.

  3. When a user submits a query using the data source, the Composer connector sends the user identified by the Do As User parameter (or as interpreted by the setting in that parameter) to the data store when it connects on behalf of the query.

    Assuming user proxy (user delegation) features are set up properly on the data store, the data store runs the query on behalf of the user. For information on setting up user proxy, user impersonation, or user delegation features in each data store, see the following links.

    Data Store User Proxy Setup Links
    Apache Drill
    Cloudera Impala
    Cloudera Search