Prasad Mujumdar created SENTRY-715:
--------------------------------------
Summary: ACLs are not updated on a table until the first explicit
GRANT statement.
Key: SENTRY-715
URL: https://issues.apache.org/jira/browse/SENTRY-715
Project: Sentry
Issue Type: Bug
Affects Versions: 1.5.0
Reporter: Prasad Mujumdar
Assignee: Prasad Mujumdar
CREATE ROLE systest_default;
GRANT ROLE systest_default TO GROUP systest;
GRANT ALL ON DATABASE default to ROLE systest_default;
2. kinit as systest
CREATE TABLE test_tbl (i int);
INSERT INTO TABLE test_tbl SELECT 1;
3. Look at ACLs (note that systest is not included):
[root@lenni-ssl-2 ~]# hadoop fs -getfacl
/user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.
# file:
/user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group:hive:rwx
other::---
mask::rwx
other::---
4. If a GRANT SELECT ON TABLE test_tbl is executed after the table is created,
the privileges are updated. But note that the systest only has read privileges
and not read/write (it should inherit the ALL on the database):
[root@lenni-ssl-2 ~]# hadoop fs -getfacl
/user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.
a# file:
/user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group:hive:rwx
other::---
group:systest:r-x
mask::rwx
other::---
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
