Need of disabling HiveServer2 Impersonation for sentry

Question

I have configured the Hive Authorization though Sentry and did all the needed changes. One of the change is to Disable HiveServer2 Impersonation by setting below property:

hive.server2.enable.doAs to false

This is mandatory requirement for Sentry as mention in cloudera Doc here. So what is the need for doing that as it is a very standard requirements wrt BI tools. Where one user will be launching the application and that will be impersonating the logged in user. Please let me know if there is some aspect which i am missing due to this restriction is needed.

Answer 1

Impersonation turned off in this case suggests that the query will run as the hive user. In fact, the underlying HDFS directory within the Hive warehouse managing the table(s) for this query will be owned by the hive user. However, an Access Control List (ACL) will entitle the 'real' user to perform read, write, and/or execute operations against the underlying HDFS file. Also, the 'real' user will be entitled to operations against the table or columns within the table. The ACLs and the table/column entitlements constitute what's called the Sentry policy. Since that policy is in place as part of the Hive query execution, there is no need to impersonate the 'real' user. Consider the Sentry policy file to be an RBAC (i.e. role-based access control) permission set. With those permissions in place, impersonation is not needed.