This procedure is supported in Spotfire Data Science Team Studio version 6.2.2 and later.
If you cannot add the Spotfire Data Science ? Team Studio service account to the cluster supergroup but still want to use Kerberized Hive, use the following instructions.
-
Set the config to false
- alpine.principalIsSuperUser=false
-
Grant permissions to the TIBCO Data Science ? Team Studio user on the Hive tables (add to the Hive group or use ACLs and Sentry).
-
Ensure that the TIBCO Data Science ? Team Studio user has r-x permissions on Hive table directories (through umask or groups or ACLs).
-
Ensure that TIBCO Data Science ? Team Studio can read the data files and create external tables using the temp directories.
-
With Sentry, this means running the following in Hue where the TIBCO Data Science ? Team Studio service user has
alpine_role
.GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_out/**/*" TO ROLE alpine_role WITH GRANT OPTION GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_runtime/**/*" TO ROLE alpine_role WITH GRANT OPTION GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_model/**/*" TO ROLE alpine_role WITH GRANT OPTION
Note Of course, you could just grant access to all of
/<alpine_tmp>
, but the instructions above are more secure.
The above is necessary because thealpine
group (to which we have assigned the role with the Hive permissions) was created only in Sentry/Hue and has not been mirrored in Linux.
-
Note:
-
The Spotfire Data Science Team Studio
temp
files all end up being owned by the Spotfire Data Science Team Studio user. -
If you want to control access to the
temp
directories by users, you must do so through Sentry or Ranger. -
The Hive ACLs are still required on the
temp
dirs because of the way we transfer files into Hive; although the same effect can be achieved through Sentry. -
Customers can set
alpine.hive.nonSuper.loadDirect=true
to use the faster direct load into Hive; although this causes a disconnect between the owner of the table and the owner of the underlying data files.
Recommended Comments
There are no comments to display.