Export All failure in secured multi-tenant clusters

Impala export fails when targeting arbitrary locations

Condition

Export operations using Impala fail when the target directory is outside the source database.

Cause

When tenant colocation is enabled, Impala exports use a CREATE TABLE AS SELECT approach that creates an external table. The external table must comply with tenant colocation rules and therefore must reside within the source database’s warehouse directory. This is an architectural constraint of Hive and Impala.

Solution

Use Hive for exports to arbitrary locations.
When using Impala, export to a subdirectory within the source database warehouse directory.
Configure appropriate access control policies to allow required export paths within tenant boundaries.

Exported files not accessible in Hue file browser

Condition

Exported files are not readable through the Hue file browser.

Cause

Files created through Impala exports are owned by the Impala service user.

Solution

Use Hive for exports. Hive exports use doAs, which creates files owned by the end user.
Configure appropriate directory permissions or access control policies to allow user access to exported files.

Impala export fails when targeting arbitrary locations

Condition

Export operations using Impala fail when the target directory is outside the source database.

Cause

When tenant colocation is enabled, Impala exports use a CREATE TABLE AS SELECT approach that creates an external table. The external table must comply with tenant colocation rules and therefore must reside within the source database’s warehouse directory. This is an architectural constraint of Hive and Impala.

Solution

Use Hive for exports to arbitrary locations.
When using Impala, export to a subdirectory within the source database warehouse directory.
Configure appropriate access control policies to allow required export paths within tenant boundaries.