Repository: incubator-sentry Updated Branches: refs/heads/hive_plugin_v2 6baaa6129 -> a9c8d904d
SENTRY-721: HDFS Cascading permissions not applied to child file ACLs if a direct grant exists (Prasad Mujumdar, reviewed by Arun Suresh and Lenni Kuff) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/198bef5d Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/198bef5d Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/198bef5d Branch: refs/heads/hive_plugin_v2 Commit: 198bef5dd6061260c7c2f34fea27e434be4985ec Parents: ee90393 Author: Prasad Mujumdar <[email protected]> Authored: Fri Jun 12 16:24:29 2015 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Fri Jun 12 16:24:29 2015 -0700 ---------------------------------------------------------------------- .../apache/sentry/hdfs/SentryPermissions.java | 24 ++++++-------------- .../tests/e2e/hdfs/TestHDFSIntegration.java | 17 ++++++++++++++ 2 files changed, 24 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/198bef5d/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java index b9d1d70..2c50ea9 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java @@ -118,10 +118,14 @@ public class SentryPermissions implements AuthzPermissions { } private Map<String, FsAction> getGroupPerms(String authzObj) { - Map<String, FsAction> groupPerms = new HashMap<String, FsAction>(); - if (authzObj == null) { - return groupPerms; + Map<String, FsAction> groupPerms; + String parent = getParentAuthzObject(authzObj); + if (parent == null || parent.equals(authzObj)) { + groupPerms = new HashMap<String, FsAction>(); + } else { + groupPerms = getGroupPerms(parent); } + PrivilegeInfo privilegeInfo = privileges.get(authzObj); if (privilegeInfo != null) { for (Map.Entry<String, FsAction> privs : privilegeInfo @@ -135,16 +139,6 @@ public class SentryPermissions implements AuthzPermissions { @Override public List<AclEntry> getAcls(String authzObj) { Map<String, FsAction> groupPerms = getGroupPerms(authzObj); - String parent = getParentAuthzObject(authzObj); - Map<String, FsAction> pGroupPerms = null; - if (parent == null) { - pGroupPerms = new HashMap<String, FsAction>(); - } else { - pGroupPerms = getGroupPerms(getParentAuthzObject(authzObj)); - if ((groupPerms == null)||(groupPerms.size() == 0)) { - groupPerms = pGroupPerms; - } - } List<AclEntry> retList = new LinkedList<AclEntry>(); for (Map.Entry<String, FsAction> groupPerm : groupPerms.entrySet()) { AclEntry.Builder builder = new AclEntry.Builder(); @@ -152,10 +146,6 @@ public class SentryPermissions implements AuthzPermissions { builder.setType(AclEntryType.GROUP); builder.setScope(AclEntryScope.ACCESS); FsAction action = groupPerm.getValue(); - FsAction pAction = pGroupPerms.get(groupPerm.getKey()); - if (pAction != null) { - action = action.or(pAction); - } if ((action == FsAction.READ) || (action == FsAction.WRITE) || (action == FsAction.READ_WRITE)) { action = action.or(FsAction.EXECUTE); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/198bef5d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java index 8ddfbe7..d75c578 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java @@ -553,6 +553,14 @@ public class TestHDFSIntegration { stmt.execute("alter table p1 add partition (month=2, day=1)"); stmt.execute("alter table p1 add partition (month=2, day=2)"); + // db privileges + stmt.execute("create database db5"); + stmt.execute("create role db_role"); + stmt.execute("create role tab_role"); + stmt.execute("grant role db_role to group hbase"); + stmt.execute("grant role tab_role to group flume"); + stmt.execute("create table db5.p2(id int)"); + stmt.execute("create role p1_admin"); stmt.execute("grant role p1_admin to group hbase"); @@ -561,6 +569,15 @@ public class TestHDFSIntegration { verifyOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); + stmt.execute("grant all on database db5 to role db_role"); + stmt.execute("use db5"); + stmt.execute("grant all on table p2 to role tab_role"); + stmt.execute("use default"); + verifyOnAllSubDirs("/user/hive/warehouse/db5.db", FsAction.ALL, "hbase", true); + verifyOnAllSubDirs("/user/hive/warehouse/db5.db/p2", FsAction.ALL, "hbase", true); + verifyOnAllSubDirs("/user/hive/warehouse/db5.db/p2", FsAction.ALL, "flume", true); + verifyOnPath("/user/hive/warehouse/db5.db", FsAction.ALL, "flume", false); + loadData(stmt); verifyHDFSandMR(stmt);
