[
https://issues.apache.org/jira/browse/SENTRY-859?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
HanCheol Cho updated SENTRY-859:
--------------------------------
Description:
This may not be a common use-case, but I think that grant/revoke in Hive and
HDFS ACLs should be synchronized in this case too.
Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.
As a result, the group user1 still has the role tbl1, but the the table
directory does not have the ACL entry for the group user1.
You can reproduce this problem as follows:
// grant all privileges on the database test_db to a user
create role db1;
grant all on database test_db to role db1;
grant role db1 to group `user1`;
hdfs dfs -getfacl /user/hive/warehouse/test_db.db
# file: /user/hive/warehouse/test_db.db
# owner: hive
# group: hive
user::rwx
group::---
group:user1:rwx
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
// grant all privileges on a specific table of the db to the user
create role tbl1;
grant all on table test_db.customer to role tbl1;
grant role tbl1 to group `user1`;
hdfs dfs -getfacl /user/hive/warehouse/test_db.db
# file: /user/hive/warehouse/test_db.db
# owner: hive
# group: hive
user::rwx
group::---
group:user1:rwx
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
// revoke the db grant
revoke role db1 from group `user1`;
// table grant still exists
show role grant group `user1`;
+---------+---------------+-------------+----------+--+
| role | grant_option | grant_time | grantor |
+---------+---------------+-------------+----------+--+
| tbl1 | false | NULL | -- |
+---------+---------------+-------------+----------+--+
// but hdfs acl on the table, customer, does not exist anymore
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer
# file: /user/hive/warehouse/test_db.db/customer
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
was:
This may not be a common use-case, but I think that grant/revoke in Hive and
HDFS ACLs should be synchronized in this case too.
Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.
As a result, the group user1 still has the role tbl1, but the the table
directory does not have the ACL entry for the group user1.
You can reproduce this problem as fllows:
// grant all privileges on the database test_db to a user
create role db1;
grant all on database test_db to role db1;
grant role db1 to group `user1`;
hdfs dfs -getfacl /user/hive/warehouse/test_db.db
# file: /user/hive/warehouse/test_db.db
# owner: hive
# group: hive
user::rwx
group::---
group:user1:rwx
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
// grant all privileges on a specific table of the db to the user
create role tbl1;
grant all on table test_db.customer to role tbl1;
grant role tbl1 to group `user1`;
hdfs dfs -getfacl /user/hive/warehouse/test_db.db
# file: /user/hive/warehouse/test_db.db
# owner: hive
# group: hive
user::rwx
group::---
group:user1:rwx
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
// revoke the db grant
revoke role db1 from group `user1`;
// table grant still exists
show role grant group `user1`;
+---------+---------------+-------------+----------+--+
| role | grant_option | grant_time | grantor |
+---------+---------------+-------------+----------+--+
| tbl1 | false | NULL | -- |
+---------+---------------+-------------+----------+--+
// but hdfs acl on the table, customer, does not exist anymore
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer
# file: /user/hive/warehouse/test_db.db/customer
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
> Revoking privileges on a DB removes HDFS ACLs on its table files even if
> there is a role for one of its tables.
> ---------------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-859
> URL: https://issues.apache.org/jira/browse/SENTRY-859
> Project: Sentry
> Issue Type: Bug
> Components: Hdfs Plugin
> Affects Versions: 1.4.0
> Environment: CDH 5.4.3
> Reporter: HanCheol Cho
> Priority: Minor
>
> This may not be a common use-case, but I think that grant/revoke in Hive and
> HDFS ACLs should be synchronized in this case too.
> Assume that you have a DB named test_db with a table customer.
> First, create a role db1 with all privileges on test_db and grant it to
> the group named user1.
> Second, create a role tbl1 with all privileges on the table test_db.customer
> and grant it to user1.
> Then, revoke db1 role from user1.
> As a result, the group user1 still has the role tbl1, but the the table
> directory does not have the ACL entry for the group user1.
> You can reproduce this problem as follows:
> // grant all privileges on the database test_db to a user
> create role db1;
> grant all on database test_db to role db1;
> grant role db1 to group `user1`;
>
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db
> # file: /user/hive/warehouse/test_db.db
> # owner: hive
> # group: hive
> user::rwx
> group::---
> group:user1:rwx
> user:hive:rwx
> group:hive:rwx
> mask::rwx
> other::---
>
> // grant all privileges on a specific table of the db to the user
> create role tbl1;
> grant all on table test_db.customer to role tbl1;
> grant role tbl1 to group `user1`;
>
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db
> # file: /user/hive/warehouse/test_db.db
> # owner: hive
> # group: hive
> user::rwx
> group::---
> group:user1:rwx
> user:hive:rwx
> group:hive:rwx
> mask::rwx
> other::---
>
> // revoke the db grant
> revoke role db1 from group `user1`;
>
> // table grant still exists
> show role grant group `user1`;
> +---------+---------------+-------------+----------+--+
> | role | grant_option | grant_time | grantor |
> +---------+---------------+-------------+----------+--+
> | tbl1 | false | NULL | -- |
> +---------+---------------+-------------+----------+--+
>
> // but hdfs acl on the table, customer, does not exist anymore
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer
> # file: /user/hive/warehouse/test_db.db/customer
> # owner: hive
> # group: hive
> user::rwx
> group::---
> user:hive:rwx
> group:hive:rwx
> mask::rwx
> other::---
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
