The authorized_proxy_user_config takes a map of user->doAsUser* - i.e. user is allowed to impersonate any users in the list of doAsUsers.
For enterprise deployments, this would be better specified as a list of groups, rather than a a list of users:
When accepting a query, Impala will check that the doAs user is a member of any of the list of groups specified for the connecting user.
HiveServer2 does this via Hadoop-level proxy user privileges (e.g.