Configuring ACLs

You need to know how to configure access control lists (ACLs) for an Impala service user, who needs to use the cmroot directory. The configuration varies according to the source cluster encryption zones.

The source cluster configuration methods depending on the number of encryption zones in the cluster:
  • One encryption zone or no encryption zone
  • Multiple encryption zones

One encryption zone or no encryption zone

When the source cluster has only one encryption zone or no encryption zone, you can run the commands shown in this procedure to give the Impala user access to cmroot directory. Alternatively, if the hive group has required ACLs/permissions, you can add impala to the hive group
  1. Set permissions for a group named hive to an ACL.
    hdfs dfs -setfacl -m default:group:hive:rwx [***CMROOT PATH IN hive.repl.cmrootdir***]
  2. Set permissions for a user named impala to an ACL.
    hdfs dfs -setfacl -m user:impala:rwx [***CMROOT PATH IN hive.repl.cmrootdir***]

Multiple encryption zones

When there are multiple encryption zones in the source cluster, you need to manually configure the file access control lists for Impala users for each encryption zone. In each encryption zone, a cmroot directory is available in the root of the encryption zone.
  1. Set permissions for a group named hive.
    hdfs dfs -setfacl -m default:group:hive:rwx [***ENCRYPTION ZONE PATH or VALUE OF hive.repl.cm.encryptionzone.rootdir***]
  2. Set permissions for a user named impala.
    hdfs dfs -setfacl -m user:impala:rwx [***ENCRYPTION ZONE PATH or VALUE OF hive.repl.cm.encryptionzone.rootdir***]                      
  3. Set the permissions on the cmroot directory for two encryption zones, starting with the first zone: /user/hive/encr1
    hdfs dfs -setfacl -m default:group:hive:rwx /user/hive/encr1/.cmroot
    hdfs dfs -setfacl -m user:impala:rwx /user/hive/encr1/.cmroot
    The default value of hive.repl.cm.encryptionzone.rootdir is .cmroot.
  4. Set permissions on the cmroot directory for the second encryption zone: /user/hive/encr2.
    hdfs dfs -setfacl -m default:group:hive:rwx /user/hive/encr2/.cmroot
    hdfs dfs -setfacl -m user:impala:rwx /user/hive/encr2/.cmroot