https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46178#M43181 <P><SPAN>&nbsp;When you run impala-shell &nbsp;it would not run as "impala", it would run as the current user. Impala does not support HDFS-level user impersonation .if you need&nbsp;</SPAN><SPAN>grandular level authorization / user permission you might want to use Sentry .&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>please refer this link.&nbsp;</SPAN></P><P><SPAN><A href="https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_sentry_service.html" target="_blank">https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_sentry_service.html</A></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 12 Oct 2016 14:24:16 GMT csguna 2016-10-12T14:24:16Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46137#M43180 <P>I need some clarity on my chosen solution.<BR /><BR />I have a CDH 5.3.9 cluster. After assigning roles, I wanted to add some custom UDF's to Hive and Impala. The .jar of the UDF is placed in <FONT face="courier new,courier">/user/hdfs</FONT> in HDFS. <FONT face="courier new,courier">/user/hdfs</FONT> has <FONT face="courier new,courier">700</FONT> for <FONT face="courier new,courier">hdfs:supergroup</FONT></P><P>&nbsp;</P><P>For Hive (NOT Hiveserver2), // Version 0.13</P><UL><LI>Login to Hive CLI as hdfs user</LI><LI>Execute create function statement</LI></UL><P><STRONG>It works. It can access the .jar and create the function. I can test the UDF etc.</STRONG></P><P>&nbsp;</P><P>For Impala, // Version 2.1.7</P><UL><LI>Login to Impala CLI as hdfs user</LI><LI>Execute create function statement</LI></UL><P><STRONG>It doesn't work since Impala doesnt have permissions to access <FONT face="courier new,courier">/user/hdfs</FONT></STRONG></P><P>&nbsp;</P><P>If I add <FONT face="courier new,courier">impala</FONT> user to supergroup in Linux, it works since impala is added to HDFS superuser group</P><P>OR</P><P>If i give execute permissions to <FONT face="courier new,courier">Other</FONT> users on <FONT face="courier new,courier">/user/hdfs</FONT></P><P>&nbsp;</P><P><FONT face="terminal,monaco"><FONT face="lucida sans unicode,lucida sans">If I</FONT> do a ps aux to see how the CLI is handled for Hive as well as Impala cases, I can see it being run as hdfs user (since I logged in as hdfs) so I assumed it should have access to /user/hdfs for impala as well. But looks like that is not sufficient for impala but works for Hive somehow.</FONT></P><P>&nbsp;</P><P><FONT face="terminal,monaco">Is it because for hive I am using a plain client? and that has access to&nbsp;/user/hdfs since user for login is hdfs?</FONT></P><P><FONT face="terminal,monaco">Impala has to run via impalad which runs as impala user and that doesnt have access to the /user/hdfs</FONT></P><P>&nbsp;</P><P>Can someone please clarify what is going on in here?</P> Fri, 16 Sep 2022 10:43:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46137#M43180 SuvP 2022-09-16T10:43:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46178#M43181 <P><SPAN>&nbsp;When you run impala-shell &nbsp;it would not run as "impala", it would run as the current user. Impala does not support HDFS-level user impersonation .if you need&nbsp;</SPAN><SPAN>grandular level authorization / user permission you might want to use Sentry .&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>please refer this link.&nbsp;</SPAN></P><P><SPAN><A href="https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_sentry_service.html" target="_blank">https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_sentry_service.html</A></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 12 Oct 2016 14:24:16 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46178#M43181 csguna 2016-10-12T14:24:16Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46187#M43182 Actually that is exactly the missing piece I am trying to figure out. I am aware that impala shell will run as whatever user I login as. hdfs user as in my case. However that is not sufficient for the impala shell to access a jar present in HDFS with 700 hdfs permissions. Where hive client shell which similarly runs the shell as hdfs user in my case is able to access. So I am assuming the impalad daemon running as impala user the cause of this ? Authorization is not what I am looking for. Wed, 12 Oct 2016 17:45:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46187#M43182 SuvP 2016-10-12T17:45:54Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46219#M43183 <P><SPAN>impalad daemon is the one that is not able to access the jar for query processing since you have set the hdfs permission as 700. &nbsp;Your assumption is right and thats what I was refering in my previous post by stating&nbsp; Impala does not support HDFS-level user impersonation.</SPAN></P> Thu, 13 Oct 2016 04:07:02 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Confusion-about-Hive-amp-Impala-behaviour-for-access-to-HDFS/m-p/46219#M43183 csguna 2016-10-13T04:07:02Z