Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/1166
@merrimanr - just for clarification on the directory permissions:
**Non-Kerberized**
- storm:hadoop, 0775
- Storm impersonation does not work
- Storm runs the topology, so it has rwx (7)
- Metron needs to read/write for the input dir and writing out the results
(cli query, rest/ui query). It's a member of the `hadoop` group, so using that
group with 0775 enables the required access.
```
groups metron
metron : hadoop
```
**Kerberized**
- metron:hadoop, 0755
- Impersonation works for Storm here
- metron runs the topology and has rwx (7) access
- hadoop no longer needs write access bc of impersonation
I compared this to what we do with indexing and I think we have 1 small
gap. When starting from non-kerberized, and then adding kerberization, the
perms will be looser than desired because any member of `hadoop` will still be
able to write.
https://github.com/apache/metron/blob/master/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/indexing_master.py#L78
---
