How to Impersonate Impala queries on Superset

Question

I'm setting up Superset (0.36.0) in production Mode (with Gunicorn), and I would like to set up impersonate while running Impala queries on my Kerberized Cluster, to each user of Superset have privilegies on tables/databases like he has on Hive/Hue/HDFS. I've tried to set "Impersonate the logged on user" to true in my database config, but it's not changing the user that is running the query, it's always using the celery-worker user.

My database config is:

Extras:

{
    "metadata_params": {},
    "engine_params":  {
            "connect_args": {  
                    "port": 21050,
                    "use_ssl": "True", 
                    "ca_cert": "/path/to/my/cert.pem",
                    "auth_mechanism": "GSSAPI"
         }
     },
    "metadata_cache_timeout": {},
    "schemas_allowed_for_csv_upload": []
}

My query resume in Cloudera Manager (5.13):

How can I enable Impersonate correctly in my Superset? Maybe there is something related to the config impala.doas.user in HiveServer2 connection, but I don't know how to config this properly.

Answer 1

I faced the same issue and I was to get it working for hive. The issue seems to be in the file hive.py located under the path ${YOUR_INSTALLATION_PATH}/superset/db_engine_specs

If you just comment out line 435, it should work. Unfortunately, I don't understand python well enough to tell you the exact reason. I found this by brute force by running the source code and putting log statements

if (
    backend_name == "hive"
    # comment this line
    # and "auth" in url.query.keys()
    and impersonate_user is True
    and username is not None
):
    configuration["hive.server2.proxy.user"] = username
return configuration

Alternatively, if you do not want to modify the source code, you can modify the URL while creating the data source in superset as :

hive://<url>/default?auth=NONE    ( when there is no security )
hive://<url>/default?auth=KERBEROS
hive://<url>/default?auth=LDAP