When clients connect over http, we should allow them to perform impersonation via the 'doAs' parameter, eg. by specifying a path of the form '/?doAs=<username>'
This is useful for example for Apache Knox, which proxies connections to Impala and authenticates as itself via Kerberos but runs queries as other users.
We can leverage the existing support for impersonation, eg. knox would have to be included in 'authorized_proxy_user_config' to be able to do the impersonation