Setting up secure access mode

You see how to set up a staging location for temporarily storing Hive files that users need to read from Spark.

In the following procedure, you set up a staging location for temporarily storing Hive files that users read from Spark. First, as the file system administrator, you grant -wt access on the parent directory to set up the following access and restrictions:
  • Users can traverse the directories to reach the staging location and create their own subdirectories.
  • Users cannot delete or rename the directories of others.
Next, as administrator, you also set up Ranger policies on files and directories in the staging location. You set up file system permissions. These policies secure managed, ACID, as well as external tables. Finally, you launch the spark shell, configure secure access mode, and create external tables in staging location.
  • You obtained privileges to set user permissions on the staging directory and files.
  1. In Cloudera Manager, click Hive on Tez > Configuration, search for hive.server2.enable.doAs, and, if necessary, clear the selection to disable.
    This step is required by Hive for managing ACID tables.
  2. On the file system of your CDP cluster, grant -wt access to users.
    For example:
    sudo -u hdfs hdfs dfs -chmod 1703 /tmp/staging
    sudo -u hdfs hdfs dfs -chmod 1703 /tmp/staging/hwc
    sudo -u hdfs hdfs dfs -chmod 1703 /tmp/staging/hwc/*
  3. In Ranger, log into the Ranger Admin UI, and in Service Manager locate HDFS, and then click the service name, for example, cm_hdfs.cm_hdfs.
  4. Click Add New Policy, and specify the deepest path to files in the staging directory.
    For example, in Resource Path, enter the following path:
    /tmp/staging/hwc/*/{USER}
  5. In Allow Conditions, in Select User, select {USER} and read, write, and execute permissions.
    The Spark session users must have access to the staging location. This action sets a single Ranger policy for all users.
  6. Click Add New Policy again to add another HDFS policy that grants the hive user additional privileges: read, write, and execute on the staging path.
    For example, in Resource Path, enter the following staging path:
    /tmp/staging/hwc
  7. In Allow Conditions, in Select User, select hive and read, write, execute permissions.