https://community.cloudera.com/t5/Support-Questions/BDR-in-secured-cluster-Run-as-Username/m-p/55116#M47206 <P>The trick is to create a BDR specific user and add them to the hive or supergroup groups as relevant for hive or general hdfs backups. No facl or sticky bits are required.</P> Fri, 26 May 2017 13:28:45 GMT ScottE 2017-05-26T13:28:45Z https://community.cloudera.com/t5/Support-Questions/BDR-in-secured-cluster-Run-as-Username/m-p/54422#M47205 <P>I am attempting to configure a BDR backup from a secured (kerberos &amp; Sentry with HDFS permission synchronization enabled) CDH 5.9.0 cluster to S3. I can successfully use BDR to backup my own data (e.g. /users/myname) but now I want to backup some Hive/Impala data that is protected by Sentry. I am using HDFS rather than Hive replication (I don't believe this is material to the question).</P><P>&nbsp;</P><P>If I configure BDR to run using my own userid, which happens to have full access according to Sentry permissions this results in an AccessControlException</P><PRE>org.apache.hadoop.security.AccessControlException: Permission denied: user=myuser, access=READ, inode="/data":hive:hive:drwxrwx--x</PRE><P>&nbsp;</P><P>I would have thought that the fact that Sentry has been configured to synchronize HDFS permissions would have meant that I could run this.</P><P>&nbsp;</P><P>According to&nbsp;<A href="https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_bdr_hive_replication.html" target="_blank">https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_bdr_hive_replication.html</A> when Kerberos is in use it is necessary to use a user with an ID greater than 1000, so this rules out the hdfs and hive users.</P><P>&nbsp;</P><P>It also states that read and execute permissions are needed on the source cluster for BDR to operate.</P><P>&nbsp;</P><P>So if my user cannot be used this would&nbsp;means I need to create a BDR user account that has these permissions.</P><P>&nbsp;</P><P>The directories I want to back up are protected with Sentry, so as per&nbsp;<A href="https://www.cloudera.com/documentation/enterprise/5-9-x/topics/sg_sentry_service_config.html#concept_z5b_42s_p4__section_lvc_4g4_rp" target="_blank">https://www.cloudera.com/documentation/enterprise/5-9-x/topics/sg_sentry_service_config.html#concept_z5b_42s_p4__section_lvc_4g4_rp</A> these directories have permissions as follows</P><PRE>$ hdfs dfs -chown hive:hive /data $ hdfs dfs -chmod 771 /data</PRE><P>Continuing down this path, to be able to use BDR I will need to use an extended ACL to assign&nbsp;rx permissions on the relevant directories to the user.</P><P>&nbsp;</P><P>To cater for new directories that come along I am thinking that it would also&nbsp;be necessary to&nbsp;add the sticky bit on this operation. Does the following seem reasonable (running as hdfs user with relevant keytab)?</P><PRE>$ hdfs dfs -setfacl -R -m group:backup_users:r-xt /data</PRE><P>Information on using the sticky bit is thin on the ground; is this even supported and supported for&nbsp;extended ACLs?</P><P>&nbsp;</P><P>Is there something I am missing that makes BDR with a kerberos enabled cluster easier than this?</P><P>&nbsp;</P><P>Thanks, S.</P> Fri, 16 Sep 2022 11:33:49 GMT https://community.cloudera.com/t5/Support-Questions/BDR-in-secured-cluster-Run-as-Username/m-p/54422#M47205 ScottE 2022-09-16T11:33:49Z https://community.cloudera.com/t5/Support-Questions/BDR-in-secured-cluster-Run-as-Username/m-p/55116#M47206 <P>The trick is to create a BDR specific user and add them to the hive or supergroup groups as relevant for hive or general hdfs backups. No facl or sticky bits are required.</P> Fri, 26 May 2017 13:28:45 GMT https://community.cloudera.com/t5/Support-Questions/BDR-in-secured-cluster-Run-as-Username/m-p/55116#M47206 ScottE 2017-05-26T13:28:45Z