Product: TIBCO Spotfire®
Remove Spotfire Data Science from Supergroup
Remove Spotfire Data Science from Supergroup
Remove Spotfire Data Science from Supergroup
Note: This is supported in Spotfire Data Science version 6.2.2 and later.If you cannot add the Spotfire Data Science service account to the cluster supergroup but still want to use Kerberized Hive, use the instructions below:
1. Set the config to false - alpine.principalIsSuperUser=false
2. Grant permissions to the Spotfire Data Science user on the Hive tables (add to the Hive group or use ACLs and Sentry)
3. Insure the Spotfire Data Science user has r-x permissions on Hive table directories (through umask or groups or ACLs)
4. Insure Spotfire Data Science can read the data files and create external tables using the temp directories
a) With Sentry, this means running the following in Hue where the Spotfire Data Science service user has alpine_role
:
GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_out/**/*" TO ROLE alpine_role WITH GRANT OPTION
GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_runtime/**/*" TO ROLE alpine_role WITH GRANT OPTION
GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_model/**/*" TO ROLE alpine_role WITH GRANT OPTION
b) Of course, one could just grant access to all of /<alpine_tmp>
, but this is more secure
c) The above is necessary because the Spotfire Data Science group (to which we’d assigned the role with the Hive permissions) was created only in Sentry/Hue and has not been mirrored in Linux.
Note that:
-
The Spotfire Data Science temp files will all end up owned by the Spotfire Data Science user.
-
If customers want to control access to the temp directories by users, they'll need to do so through Sentry or Ranger.
-
The Hive ACLs are still required on the temp dirs because of the way we transfer files into Hive, though the same effect might be achieved through Sentry.
-
Customers can set
alpine.hive.nonSuper.loadDirect=true
to use the faster direct load into Hive, though this will cause a disconnect between the owner of the table and the owner of the underlying data files.
Comments
0 comments
Article is closed for comments.