[jira] [Created] (SENTRY-953) External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync

[Ryan P (JIRA)]

Ryan P created SENTRY-953:
-----------------------------

             Summary: External Partitions which are referenced by more than one 
table can cause some unexpected behavior with Sentry HDFS sync
                 Key: SENTRY-953
                 URL: https://issues.apache.org/jira/browse/SENTRY-953
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
    Affects Versions: 1.6.0
            Reporter: Ryan P


With Sentry HDFS ACL Sync enabled:

Under a configured prefix create two external permission directories;

# file: /location/pk=1
# owner: ryanp
# group: ryanp
user::rwx
group::rwx
other::rwx

# file: /location/pk=2
# owner: ryanp
# group: ryanp
user::rwx
group::rwx
other::rwx

Once a table is created that references these partitions they begin to act as 
managed directories as expected. 

drwxrwx---+  - hive  hive          0 2015-11-04 11:07 /location/pk=1
drwxrwx---+  - hive  hive          0 2015-11-04 11:07 /location/pk=2

The problem however arrives once we have two tables referencing these 
partitions with different grants placed against them.

*both table1 and table2 include both partitions

grant all on table home1 to role table1;
grant role home1 to group root;

grant all on table home2 to role table2;
grant role home2 to group ryanp;
 
You will notice that only the first grant takes effect on the managed 
directories:

# file: /location/pk=1
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group:root:rwx
group::---
group:hive:rwx
mask::rwx
other::---

# file: /location/pk=2
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group:root:rwx
group::---
group:hive:rwx
mask::rwx
other::---

Dropping the first table also results in the directories no longer being 
managed at all. 

drop table home1;

# file: /location/pk=1
# owner: ryanp
# group: ryanp
user::rwx
group::rwx
other::rwx

# file: /location/pk=2
# owner: ryanp
# group: ryanp
user::rwx
group::rwx
other::rwx

The only way to pick up the 2 tables grants at this point would be to restart 
HMS. 

Since theoretically partitions can be member of numerous tables we should fix 
this behavior. Grants placed agains either authorizable object should be 
reflected in HDFS. As long as there are any references to the partition it 
should remain managed as well. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)