https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-ideal-ACL-s-that-need-to-be-applied-on-a-HDFS/m-p/55692#M62668 <P>From my understanding when you use the Sentry HDFS synchronization plugin you only need to set the following ACLs :</P><P>hive:hive / 771</P><P>&nbsp;</P><PRE>https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hiveserver2_security.html#concept_vxf_pgx_nm</PRE><PRE>https://www.cloudera.com/documentation/enterprise/latest/topics/sg_sentry_service_config.html#concept_z5b_42s_p4__section_lvc_4g4_rp</PRE><P>&nbsp;</P><P>Then it is the plugin that will manage the other permission according to permissions granted in Sentry.</P><P>&nbsp;</P><P>If you set the permissions yourself then there is not point in using the Sentry HDFS synchronization plugin.</P> Mon, 12 Jun 2017 11:46:37 GMT mathieu.d 2017-06-12T11:46:37Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-ideal-ACL-s-that-need-to-be-applied-on-a-HDFS/m-p/55654#M62667 <P>What are the ideal / Minimum required ACL's that need to be applied on a HDFS directory containing Hive External Tables?</P><P>&nbsp;</P><P>1. I have a directory '/user/devteam/custdata' with permissions 770.&nbsp;</P><P>&nbsp;</P><P>hdfs dfs -getfacl /user/devteam/custdata</P><P># file: /user/devteam/custdata</P><P># owner: devteam</P><P># group: devteam</P><P>user::rwx</P><P>group::rwx</P><P>other::---</P><P>&nbsp;</P><P>2. I set ACL of...</P><P>hdfs dfs -setfacl -R -m group:hive:rwx,group:qateam:r-x /user/devteam/custdata</P><P>&nbsp;</P><P>3. Sentry Roles</P><P>&nbsp;</P><P>create role qateamrole;</P><P>grant select on database devdb to role qateamrole;</P><P>create role devteamrole;</P><P>grant all on database devdb to role devteamrole;</P><P>grant all on uri '<SPAN>/user/devteam/custdata' to role devteamteamrole;</SPAN></P><P>&nbsp;</P><P>By setting these two permissions with HDFS sentry sync enabled. Will I be able to run all my sqoop jobs and hive queries as the owner and qateam successfully? At the same time I want data to be visible only to the owner and teams that have permissions to query / cat / list them.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 16 Sep 2022 11:44:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-ideal-ACL-s-that-need-to-be-applied-on-a-HDFS/m-p/55654#M62667 suryajayanthi 2022-09-16T11:44:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-ideal-ACL-s-that-need-to-be-applied-on-a-HDFS/m-p/55692#M62668 <P>From my understanding when you use the Sentry HDFS synchronization plugin you only need to set the following ACLs :</P><P>hive:hive / 771</P><P>&nbsp;</P><PRE>https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hiveserver2_security.html#concept_vxf_pgx_nm</PRE><PRE>https://www.cloudera.com/documentation/enterprise/latest/topics/sg_sentry_service_config.html#concept_z5b_42s_p4__section_lvc_4g4_rp</PRE><P>&nbsp;</P><P>Then it is the plugin that will manage the other permission according to permissions granted in Sentry.</P><P>&nbsp;</P><P>If you set the permissions yourself then there is not point in using the Sentry HDFS synchronization plugin.</P> Mon, 12 Jun 2017 11:46:37 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-ideal-ACL-s-that-need-to-be-applied-on-a-HDFS/m-p/55692#M62668 mathieu.d 2017-06-12T11:46:37Z