How to Use the Impersonation Feature on MapR-FS

Blog Post created by maprcommunity Employee on Dec 14, 2016

How to Use the Impersonation Feature on MapR-FS

by Harish Thakkallapally


In this article, I am going to show you how to use the MapR-FS impersonation feature to create and access a file in MapR-FS. In this example, we will run a Java program as the “mapr” superuser that will run operations on behalf of the “user01” user.

Impersonation, also known as identity assertion, is one user (e.g., “mapr”) accessing data and submitting jobs on behalf of another user (e.g., “user01”). This ensures that users can interact with any service and only get access to data for which they are authorized, even if that service is run by a different user. Impersonation in MapR allows centralized control of access to resources in MapR-FS, MapR-DB, MapReduce, and ecosystem components/frameworks.

Enabling impersonation for the mapr superuser:

    1. Log on to one of the cluster nodes as the “mapr” user (superuser).
    2. Open /opt/mapr/hadoop/hadoop-<version>/etc/hadoop/core-site.xml file.
    3. Add the following properties if they are not already available:

      The hosts setting (*) allows the “mapr” superuser to connect from any host to impersonate a user.
      The groups setting (*) allows the “mapr” superuser to impersonate users from any group.
    4. Set MAPR_IMPERSONATION_ENABLED environment variable to 1 or true.
    5. The full Java program that shows how impersonation works is displayed below:
      /* Copyright (c) 2009 & onwards. MapR Tech, Inc., All rights reserved */  import org.apache.hadoop.fs.*; import org.apache.hadoop.conf.*; import; import; import;   /**  * Assumes mapr installed in /opt/mapr  * In order to see how impersonation works, run this program as mapr user.  *  */ public class ImpersonationTest {   public static void main(final String args[]) throws IOException,       InterruptedException {     if (args.length != 1) {       System.out.println("usage: ImpersonationTest pathname");       return;     }     System.out.println("User running the application is : "         + UserGroupInformation.getCurrentUser());      // Create proxy user for "user01"     UserGroupInformation ugi = UserGroupInformation.createProxyUser("user01",         UserGroupInformation.getCurrentUser());     // Run the file system commands as "user01"     ugi.doAs(new PrivilegedExceptionAction() {       @Override       public Void run() {         runFsCommand(args);         return null;       }     });   }    public static void runFsCommand(String args[]) {     // maprfs:/// -> uses the first entry in /opt/mapr/conf/mapr-clusters.conf     // maprfs:///mapr/     // /mapr/     try {       byte buf[] = new byte[ 65*1024];       int ac = 0;       String dirname = args[ac++];       Configuration conf = new Configuration();       // if wanting to use a different cluster       //FileSystem fs = FileSystem.get(URI.create(uri), conf);       FileSystem fs = FileSystem.get(conf);       Path dirpath = new Path( dirname + "/dir");       Path wfilepath = new Path( dirname + "/file.w");       Path rfilepath = wfilepath;       // try mkdir       boolean res = fs.mkdirs( dirpath);       if (!res) {         System.out.println("mkdir failed, path: " + dirpath);         return;       }       System.out.println( "mkdir( " + dirpath + ") went ok, now writing file");       // create wfile       FSDataOutputStream ostr = fs.create( wfilepath,           true, // overwrite           512, // buffersize           (short) 1, // replication           (long)(64*1024*1024) // chunksize       );       ostr.write(buf);       ostr.close();       System.out.println( "write( " + wfilepath + ") went ok");       // read rfile       System.out.println( "reading file: " + rfilepath);       FSDataInputStream istr = rfilepath);       istr.close();       System.out.println( "Read ok");     } catch (Exception e) {       e.printStackTrace();     }   } }
    6. Impersonation is achieved by the following code block:
      // Create proxy user for "user01" UserGroupInformation ugi = UserGroupInformation.createProxyUser("user01",     UserGroupInformation.getCurrentUser()); // Run the file system commands as "user01" ugi.doAs(new PrivilegedExceptionAction() {   @Override   public Void run() {     runFsCommand(args);     return null;   } });
      In this block, UserGroupInformation.getCurrentUser() is the “mapr” user who is currently running the Java application, and “user01” is the user to be impersonated. UserGroupInformation.createProxyUser method creates a proxy user using the “user01” user and UserGroupInformation of the real user (“mapr”). The ugi.doAs() block runs runFsCommand(args) action as “user01”. Once the program runs successfully, the “/user/user01/dir” directory and “/user/user01/file.w” file are created with “user01” permissions even though the application was run as the “mapr” user.


    1. Compile and run.
      javac -cp $(hadoop classpath) ImpersonationTest.javajava -cp .:$(hadoop classpath) ImpersonationTest /user/user01


  1. Sample output is shown below. From the output, you can see we were able to create the directory and file with “user01” permissions because of impersonation.
  2. The following Hadoop command shows the permissions for the dir and file, and both of them will have user permissions of “user01.”


Impersonation is an important feature that is required for any environment with sensitive data. Be sure to use it whenever you need to run programs or services as one user (typically the superuser), but want to restrict data access to the user making the actual request.

In this blog post, you learned how to use the MapR-FS impersonation feature to create and access a file in MapR-FS. If you have any further questions regarding MapR-FS, please ask them in the comments section below.

To learn more, please take a look at the official product documentation:

Related Content


On mapr-fs

MapR File System 

MapR-FS vs. HDFS: The 5-Minute Guide to Understanding Their Differences – Whiteboard Walkthrough | MapR 

How to manage MapR-FS (MFS) memory usage 




Visit the The Exchange for:

- tutorials

- ebooks

- whiteboard Walkthroughs 

and more


Content Originally posted in MapR Converge Blog post, visit here

Subscribe to Converge Blog