Configure file access control lists for Impala user
Before you create Hive ACID table replication policies, you need to configure the file access control lists for an Impala user to access the cmroot directory based on whether the source cluster has one encryption zone, multiple encryption zones, or no encryption zone.
One encryption zone or no encryption zone
When the source cluster has only one encryption zone or no encryption zone,
you can run the following commands to provide the Impala user access to
cmroot directory:
- hdfs dfs -setfacl -m default:group:hive:rwx [***CMROOT PATH IN hive.repl.cmrootdir***]
- hdfs dfs -setfacl -m user:impala:rwx [***CMROOT PATH IN hive.repl.cmrootdir***]
Multiple encryption zones
When there are multiple encryption zones in the source cluster, you must manually configure the file access control lists for Impala users for each encryption zone. In each encryption zone, a cmroot directory is available in the root of the encryption zone.
Run the following commands to set the file access control list for the user
and group:
- hdfs dfs -setfacl -m default:group:hive:rwx [***ENCRYPTION ZONE PATH or VALUE OF hive.repl.cm.encryptionzone.rootdir***]
- hdfs dfs -setfacl -m user:impala:rwx [***ENCRYPTION ZONE PATH or VALUE OF hive.repl.cm.encryptionzone.rootdir***]
For example, if the first encryption zone is
/user/hive/encr1 and the other encryption zone is
/user/hive/encr2, you must provide permissions for both the
encryption zones. To provide the required permissions, perform the following
steps:
- Run the following commands to provide access permissions to the
cmroot directory in the first encryption
zone:
hdfs dfs -setfacl -m default:group:hive:rwx /user/hive/encr1/.cmroot hdfs dfs -setfacl -m user:impala:rwx /user/hive/encr1/.cmroot - Run the following commands to provide access permissions to the
cmroot directory in the second encryption
zone:
hdfs dfs -setfacl -m default:group:hive:rwx /user/hive/encr2/.cmroot hdfs dfs -setfacl -m user:impala:rwx /user/hive/encr2/.cmroot
