如何理解Proxy user(包括proxy、impersonation和常见的Proxy use case)
官方文档的一些configurations及相应解释
帮助理解的两个博客:
hadoop的用户代理机制
HDFS-- Hadoop中的ProxyUser
有了上面的前置知识,接下来,我们开始理解下面这段话:
Hive 的运行依赖于 Hadoop ( HDFS 、 MapReduce 、 YARN 都依赖),同时涉及到 HDFS 文件系统的访问
所以需要配置 Hadoop 的代理用户,即设置 hadoop 用户允许代理(模拟)其它用户
即需要配置如下内容在 Hadoop 的 core-site.xml 中,并分发到其它节点,且重启 HDFS 集群
# hadoop.proxyuser.hadoop.hosts第2个hadoop可以替代成你信任的并想将其设置为proxy user的用户
<property>
<name>hadoop.proxyuser.hadoop.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hadoop.groups</name>
<value>*</value>
</property>
下面这几段话解决了我的困惑(即为什么明明是Hive存在与Hadoop的依赖和交互,照理说应该配置的HIve的Proxy,但是实际上配置的却是Hadoop):
Configuring a proxy user in Hadoop allows Hive to impersonate or act
on behalf of other users when accessing HDFS (Hadoop Distributed File
System). However, this doesn’t mean that Hive itself inherently has
the capability to directly impersonate other users. Instead, Hive
leverages the proxy user settings configured in Hadoop to achieve this
functionality.When a user submits a query or job to Hive, Hive interacts with Hadoop
components such as HDFS, MapReduce, or YARN on behalf of that user.
Hive uses the configured proxy user in Hadoop to authenticate and
execute actions on behalf of the user who submitted the query. This
ensures that the user’s permissions and access controls are respected
when accessing data stored in HDFS or executing tasks on the Hadoop
cluster.In summary, while Hive doesn’t have its own built-in capability to
directly impersonate other users, it can utilize the proxy user
configuration in Hadoop to achieve user impersonation for accessing
HDFS or performing tasks within the Hadoop ecosystem.
简单说,就是当一个在上述配置文件中的user(针对上述配置文件来说,是任意user),试图利用Hive去和Hadoop产生交互时(例如对HDFS中的表进行查询),Hive就会利用proxy user(针对上述配置文件来说,是hadoop)来impersonate或act on behalf of 这个user来实现和Hadoop的交互,而无需作为这些用户进行身份验证。
proxy user’features
- 值得信赖的;少;无需身份验证
- 要去模拟或代表其他用户的
