Good Day, all We are using Cloudera CDH 5.4.4 which based on their version is using Sentry 1.4.0
Here is the basic scenari: I have Oozie workflows that can reproduce the following: 1) User creates the HDFS directory structures, /project/database/table 2) User creates a Hive database and grants all to a role on database. 3) User creates "external" tables within the database and uses the HDFS directory structures for the location of each table (/project/database/table) 4) grants all to a role on table Expected/Actual Results :The Hive ACLs are applied to the HDFS directory leaf.. /project/databse/table 1) Users drops the database with cascade. 2) User removes the directory tree ( /project/databse/table) with HDFS commands. Expected/Actual Results: All data, database and HDFS directories are removed from system. Problem statement: 1) User recreates the same directory tree ( /project/databse/table) 2) run "hadoop fs -getfacl /project/databse/table Expected Results: no Hive/Sentry ACLs will be associated with /project/databse/table Actual Results: The old Acls are being re-applied to the new HDFS directory tree. Assumption is that when a database or a table is dropped from Hive, Sentry's ACLs should also be removed or reverted to the previous state. I would assume that the removal of ACLs is the responsibility of (hive/impala) drop command which would also issue a command to Sentry to remove all ACLs associated. Is it reasonable to assume, if the table is dropped, the grant associated with that table should also be removed. If test scripts are needed I can create them. Insights? -- Those who say it can't be done, are usually interrupted by those doing it.
