Cloudera Docs

Set Storage Engine ACLs

You must be aware of the steps to set ACLs for Impala to allow Impala to write to the Hive Warehouse Directory.

After migration, the (hive.metastore.warehouse.dir) is set to /user/hive/warehouse where the Impala managed tables are located. When the Impala workload is migrated from CDH to CDP, the ACL settings are automatically set for the default warehouse directories. If you changed the default location of the warehouse directories after migrating to CDP then follow the steps to allow Impala to write to the Hive Warehouse Directory.

Complete the initial configurations in the free-form fields on the Hive/Impala Configuration pages in Cloudera Manager to allow Impala to write to the Hive Warehouse Directory.

  1. Set Up Impala User ACLs using the Impala Configuration page
    1. Impala > Action Menu > Set the Impala user ACLs on warehouse directory
    2. Impala > Action Menu > Set the Impala user ACLs on external warehouse directory
      Set impala user acls
  2. Cloudera Manager sets the ACL for the user "Impala". However before starting the Impala service, verify permissions and ACLs set on the individual database directories using the sub-commands getfacl and setfacl.
    1. Verify the ACLs of HDFS directories for managed and external tables using getfacl.
      Example:
      $ hdfs dfs -getfacl hdfs:///warehouse/tablespace/managed/hive
# file: hdfs:///warehouse/tablespace/managed/hive
# owner: hive
# group: hive
user::rwx
group::rwx
other::---
default:user::rwx
default:user:impala:rwx
default:group::rwx
default:mask::rwx
default:other::---
      $ hdfs dfs -getfacl hdfs:///warehouse/tablespace/external/hive
# file: hdfs:///warehouse/tablespace/external/hive
# owner: hive
# group: hive
# flags: --t
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:impala:rwx
default:group::rwx
default:mask::rwx
default:other::rwx
    2. If necessary, set the ACLs of HDFS directories using setfacl
      Example:
      $ hdfs dfs -setfacl hdfs:///warehouse/tablespace/managed/hive
$ hdfs dfs -setfacl hdfs:///warehouse/tablespace/external/hive
      For more information on using the sub-commands getfacl and setfacl, see Using CLI commands to create and list ACLs.
    3. The above examples show the user Impala as part of the Hive group. If in your setup, the user Impala does not belong to the group Hive then ensure that the Group user Impala belongs to has WRITE privileges assigned on the directory.
      To view the Group user Impala belongs to:
      $ id -Gn impala
uid=973(impala) gid=971(impala) groups=971(impala),972(hive)