Support Questions

pphot · ‎11-04-2020

Hello Everyone,

Do HDFS ACLs apply on impala queries?

If, for example, I want to give read permissions on specific directories in HDFS to a specific user and I modify the appropriate ACLs using "hdfs dfs setfacl" on the mentioned directories, will the user have only SELECT permissions when querying the files?

I want to avoid using Kerberos auth and Sentry service.

tusharkathpal · ‎11-04-2020

@pphot Yes hdfs acls will come into picture even if you use Impala. After all Impala is a client for hdfs service.

If hdfs path has permissions, let's say no permission for impala user then impala will be unable to read data from hdfs and eventually your query will fail with permission denied error.

Let me know if the above clarifies your doubt.

Mike in Austin · ‎11-12-2020

IIRC, The ImpalaD process runs as the "impala". If you have sentry grants that enable access to roles the user is in any HDFL ACLs to the contrary will be ignored.

The proper way to do this is to use Sentry to grant access to the roles which map to groups and users, you want to have access and then enable HDFS ACLs to sync the HDFS access.