[jira] [Created] (SENTRY-859) Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.

Thu, 27 Aug 2015 02:44:41 -0700 

HanCheol Cho created SENTRY-859:
-----------------------------------

             Summary: Revoking privileges on a DB removes HDFS ACLs on its 
table files even if there is a role for one of its tables.
                 Key: SENTRY-859
                 URL: https://issues.apache.org/jira/browse/SENTRY-859
             Project: Sentry
          Issue Type: Bug
          Components: Hdfs Plugin
    Affects Versions: 1.4.0
         Environment: CDH 5.4.3
            Reporter: HanCheol Cho
            Priority: Minor


This may not be a common use-case, but I think that grant/revoke in Hive and 
HDFS ACLs should be synchronized in this case too.

Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.

As a result, the group user1 still has the role tbl1, but the the table 
directory does not have the ACL entry for the group user1.



You can reproduce this problem as fllows:

// grant all privileges on the database test_db to a user       
 create role db1;       
 grant all on database test_db to role db1;     
 grant role db1 to group `user1`;       
        
 hdfs dfs -getfacl /user/hive/warehouse/test_db.db
        # file: /user/hive/warehouse/test_db.db
        # owner: hive
        # group: hive
        user::rwx
        group::---
        group:user1:rwx
        user:hive:rwx
        group:hive:rwx
        mask::rwx
        other::---
        
// grant all privileges on a specific table of the db to the user       
 create role tbl1;      
 grant all on table test_db.customer to role tbl1;      
 grant role tbl1 to group `user1`;      
        
hdfs dfs -getfacl /user/hive/warehouse/test_db.db       
        # file: /user/hive/warehouse/test_db.db
        # owner: hive
        # group: hive
        user::rwx
        group::---
        group:user1:rwx
        user:hive:rwx
        group:hive:rwx
        mask::rwx
        other::---
        
// revoke the db grant  
revoke role db1 from group `user1`;     
        
// table grant still exists     
show role grant group `user1`;  
        +---------+---------------+-------------+----------+--+
        |  role   | grant_option  | grant_time  | grantor  |
        +---------+---------------+-------------+----------+--+
        | tbl1    | false         | NULL        | --       |
        +---------+---------------+-------------+----------+--+
        
// but hdfs acl on the table, customer, does not exist anymore  
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer      
        # file: /user/hive/warehouse/test_db.db/customer
        # owner: hive
        # group: hive
        user::rwx
        group::---
        user:hive:rwx
        group:hive:rwx
        mask::rwx
        other::---




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to