[
https://issues.apache.org/jira/browse/SENTRY-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15076657#comment-15076657
]
Hao Hao commented on SENTRY-953:
--------------------------------
I used the thrift command to directly generate the source code instead of the
maven build. I saw in the pom, the libthrift version is set to 0.9.2. Is that
the cause?
> External Partitions which are referenced by more than one table can cause
> some unexpected behavior with Sentry HDFS sync
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-953
> URL: https://issues.apache.org/jira/browse/SENTRY-953
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.6.0
> Reporter: Ryan P
> Assignee: Hao Hao
> Fix For: 1.7.0
>
> Attachments: SENTRY-953.0.patch, SENTRY-953.002.patch,
> SENTRY-953.003.patch, SENTRY-953.005.patch, SENTRY-953.1.patch
>
>
> With Sentry HDFS ACL Sync enabled:
> Under a configured prefix create two external permission directories;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> Once a table is created that references these partitions they begin to act as
> managed directories as expected.
> drwxrwx---+ - hive hive 0 2015-11-04 11:07 /location/pk=1
> drwxrwx---+ - hive hive 0 2015-11-04 11:07 /location/pk=2
> The problem however arrives once we have two tables referencing these
> partitions with different grants placed against them.
> *both table1 and table2 include both partitions
> grant all on table home1 to role table1;
> grant role home1 to group root;
> grant all on table home2 to role table2;
> grant role home2 to group ryanp;
>
> You will notice that only the first grant takes effect on the managed
> directories:
> # file: /location/pk=1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> # file: /location/pk=2
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> Dropping the first table also results in the directories no longer being
> managed at all.
> drop table home1;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> The only way to pick up the 2 tables grants at this point would be to restart
> HMS.
> Since theoretically partitions can be member of numerous tables we should fix
> this behavior. Grants placed agains either authorizable object should be
> reflected in HDFS. As long as there are any references to the partition it
> should remain managed as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
