Skip to content

Cloudera Native Workspace Configuration

Audience: System Administrators

Content Summary: This page describes how to configure Native Workspaces for Immuta-enabled CDH clusters. The Native Workspace requires a CDH cluster with the Immuta parcel installed and configured. For more information about CDH deployments, please see the main installation guide.

Immuta Web Configuration

Native HDFS Workspace

  1. Navigate to the App Settings page in the Immuta Console.
  2. Select Native Workspace in the left sidebar.
  3. Select Add Workspace.
  4. For Workspace Type, select Cloudera.
  5. For Scheme select hdfs.
  6. Fill out the modal, click Test Workspace Directory, and then save your changes.

Cloudera HDFS Workspace

Native S3 Workspace

  1. Navigate to the App Settings page in the Immuta Console.
  2. Select Native Workspace in the left sidebar.
  3. Select Add Workspace.
  4. For Workspace Type, select Cloudera.
  5. For Scheme Select s3a.
  6. Fill out the modal, click Test Workspace Directory, and then save your changes.

Cloudera S3 Workspace

Hive Configuration

If your workspace storage is located in S3, the AWS key pair configuration snippet below must be set in Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml. Note that the property names differ between CDH 5.x and CDH 6.x clusters.

<property>
    <!-- <name>fs.s3a.awsAccessKeyId</name> Use this property name for CDH 5.x clusters -->
    <name>fs.s3a.access.key</name>
    <value>(Your access key)</value>
</property>
<property>
    <!-- <name>fs.s3a.awsSecretAccessKey</name> Use this property name for CDH 5.x clusters -->
    <name>fs.s3a.secret.key</name>
    <value>(Your secret key)</value>
</property>

The Immuta System API Key configuration snipped below must be set in Hive Metastore Server Advanced Configuration Snippet (Safety Valve) for core-site.xml.

<property>
    <name>immuta.system.api.key</name>
    <value>(Your Immuta System API Key)</value>
</property>

The Immuta Group Mapping and Immuta System API Key configuration snippet below must be set in HiveServer2 Advanced Configuration Snippet (Safety Valve) for core-site.xml. For more information on Immuta Group Mapping configuration, see Enabling Immuta Group Mapping.

<property>
    <name>hadoop.security.group.mapping</name>
    <value>org.apache.hadoop.security.CompositeGroupsMapping</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.providers</name>
    <value>jni,immuta</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.providers.combined</name>
    <value>true</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.jni</name>
    <value>org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.immuta</name>
    <value>com.immuta.security.ImmutaGroupsMapping</value>
    <final>true</final>
</property>
<property>
    <name>immuta.system.api.key</name>
    <value>(Your Immuta System API Key)</value>
    <final>true</final>
</property>

Impala Configuration

The AWS key pair and Immuta System API Key configuration snippet below must be set in Impala Catalog Server Advanced Configuration Snippet (Safety Valve) for core-site.xml. Note that the property names may differ between CDH 5.x and CDH 6.x clusters.

<property>
    <!-- <name>fs.s3a.awsAccessKeyId</name> Use this property name for CDH 5.x clusters -->
    <name>fs.s3a.access.key</name>
    <value>(Your access key)</value>
</property>
<property>
    <!-- <name>fs.s3a.awsSecretAccessKey</name> Use this property name for CDH 5.x clusters -->
    <name>fs.s3a.secret.key</name>
    <value>(Your secret key)</value>
</property>
<property>
    <name>immuta.system.api.key</name>
    <value>(Your Immuta System API Key)</value>
</property>

The AWS key pair, Immuta System API Key, and Immuta Group Mapping configuration snippet below must be set in Impala Daemon Advanced Configuration Snippet (Safety Valve) for core-site.xml. For more information on Immuta Group Mapping configuration, see Enabling Immuta Group Mapping.

<property>
    <name>hadoop.security.group.mapping</name>
    <value>org.apache.hadoop.security.CompositeGroupsMapping</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.providers</name>
    <value>jni,immuta</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.providers.combined</name>
    <value>true</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.jni</name>
    <value>org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback</value>
    <final>true</final>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.immuta</name>
    <value>com.immuta.security.ImmutaGroupsMapping</value>
    <final>true</final>
</property>
<property>
    <name>immuta.system.api.key</name>
    <value>(Your Immuta System API Key)</value>
    <final>true</final>
</property>
<property>
    <!-- <name>fs.s3a.awsAccessKeyId</name> Use this property name for CDH 5.x clusters -->
    <name>fs.s3a.access.key</name>
    <value>(Your access key)</value>
</property>
<property>
    <!-- <name>fs.s3a.awsSecretAccessKey</name> Use this property name for CDH 6.x clusters -->
    <name>fs.s3a.secret.key</name>
    <value>(Your secret key)</value>
</property>

Sentry Configuration

If you want users to be able to create derived data sources and/or native Hive or Impala tables within Immuta's native project workspaces, you will need to grant a Sentry admin role to the immuta user. This requires adding the immuta user to Admin Groups and Allowed Connecting Users under Sentry's configuration in Cloudera Manager.

You should also create a new Sentry role for immuta, with all privileges granted. Run the SQL snippet below in beeline or impala-shell as either the immuta user or as any user with Sentry admin privileges.

CREATE ROLE immuta;
GRANT ALL ON SERVER <server name> TO ROLE immuta WITH GRANT OPTION;
GRANT ROLE immuta TO GROUP immuta;

You will also need to enable the ImmutaGroupsMapping service in Hive and/or Impala's configuration to allow Immuta to manage Sentry permissions for Immuta users. For instructions on how to do this, please see Enabling ImmutaGroupsMapping.