Jump to content

  • Removing a Spotfire Data Science Team Studio user from Supergroup

     Share
    This procedure provides instructions on how to remove a Spotfire Data Science Team Studio user from Supergroup

    This procedure is supported in Spotfire Data Science Team Studio version 6.2.2 and later.

    If you cannot add the Spotfire Data Science ? Team Studio service account to the cluster supergroup but still want to use Kerberized Hive, use the following instructions.

    1. Set the config to false  

      - alpine.principalIsSuperUser=false
       

    2. Grant permissions to the TIBCO Data Science ? Team Studio user on the Hive tables (add to the Hive group or use ACLs and Sentry).

    3. Ensure that the  TIBCO Data Science ? Team Studio user has r-x permissions on Hive table directories (through umask or groups or ACLs).

    4. Ensure that TIBCO Data Science ? Team Studio can read the data files and create external tables using the temp directories.

      • With Sentry, this means running the following in Hue where the TIBCO Data Science ? Team Studio service user has alpine_role. 

        GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_out/**/*" TO ROLE alpine_role 
WITH GRANT OPTION  GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_runtime/**/*" TO ROLE alpine_role 
WITH GRANT OPTION  GRANT ALL ON URI "hdfs://<nameservice>/<alpine_tmp>/tsds_model/**/*" TO ROLE alpine_role WITH GRANT OPTION
         

        Note Of course, you could just grant access to all of /<alpine_tmp>, but the instructions above are more secure. 

        The above is necessary because the alpine group (to which we have assigned the role with the Hive permissions) was created only in Sentry/Hue and has not been mirrored in Linux.

    Note:

    • The Spotfire Data Science Team Studio temp files all end up being owned by the Spotfire Data Science Team Studio user.
    • If you want to control access to the temp directories by users, you must do so through Sentry or Ranger.
    • The Hive ACLs are still required on the temp dirs because of the way we transfer files into Hive; although the same effect can be achieved through Sentry.
    • Customers can set alpine.hive.nonSuper.loadDirect=true to use the faster direct load into Hive; although this causes a disconnect between the owner of the table and the owner of the underlying data files.
     Share
    Go to articles

    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...