Skip to content

Managing Secure Write Space for HDFS Users

Audience: System Administrators

Content Summary: This guide details how to set up space in HDFS for Immuta users to write analytic outputs to. The objective of the write space is to provide a place that users can read and write to, but not expose to other users. This can be accomplished at both the user and group levels using Hadoop ACLs.

For more details on Hadoop ACLs, see the official documentation.

Configuration

Enable HDFS Access Control Lists in Cloudera Manager

See the official Cloudera Documentation for your version of CDH to complete this step.

Create Base Write Directory

The root of your secure write space, and all subdirectories should be owned by hive:hive to allow authorized users to reference their write space in Hive or Impala external tables.

hadoop fs -mkdir /immuta_scratch_space
hadoop fs -chown -R hive:hive /immuta_scratch_space

Create Write Space for a Group

If you wish to configure a write space for a group, follow the steps below to set the correct ACLs for this setup. Note that in this example, the data in /data/write/examplegroup will only be readable by the examplegroup group.

hadoop fs -mkdir /immuta_scratch_space/examplegroup
hadoop fs -setfacl -m other::--- /immuta_scratch_space/examplegroup
hadoop fs -setfacl -m group::rwx /immuta_scratch_space/examplegroup
hadoop fs -setfacl -m group:examplegroup:rwx /immuta_scratch_space/examplegroup

Create Write Space for a User

If you wish to configure a write space for an individual user, follow the steps below to set the correct ACLs for this setup. Note that in this example, the data in /data/write/exampleuser will only be readable by the exampleuser user.

hadoop fs -mkdir /data/write/exampleuser
hadoop fs -setfacl -m other::--- /immuta_scratch_space/exampleuser
hadoop fs -setfacl -m user::rwx /immuta_scratch_space/exampleuser
hadoop fs -setfacl -m group::rwx /immuta_scratch_space/exampleuser
hadoop fs -setfacl -m user:exampleuser:rwx /immuta_scratch_space/exampleuser

Note for Sentry Users

If you are providing Hive or Impala write space to your Immuta users via Sentry object ownership, you will need to grant each relevant Sentry role access to the root of the write space URI in Sentry.

GRANT ALL ON URI hdfs://<namenode host>:<namenode port>/immuta_scratch_space TO ROLE examplerole;