[
https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15075266#comment-15075266
]
Carita Ou commented on HIVE-11481:
----------------------------------
Hi Szehon, I updated the review board with the new patch.
1. This is true. The child directory inherits the parent's default ACLs as its
own default ACLs, and also as it access ACLs. I made some code changes for the
child directory to inherit the parent's default ACL as its access ACL,
overwriting the named user|group access ACL if exists. For example, the parent
directory has following ACLs:
{noformat}default:user:foo:r--
user:foo:rwx{noformat}
after inheritance, the child will have the following ACLs:
{noformat}default:user:foo:r--
user:foo:r--{noformat}
Can you please verify that this should be the case?
2. We are removing the baseAclEntries if there are Default ACLs. This is to
prevent the setfacl command from failing if there are duplicate ACL entries
with the same scope, type, and name. For example, this following command
{noformat}"hadoop fs -setfacl -R --set 'user::rwx,user::r--' /path"{noformat}
will fail with "setfacl: Invalid ACL: multiple entries with same scope, type
and name."
If there are no default ACLs, we don't need to remove baseAclEntries. At this
point, only the group access ACL is present in the ACL list, and the "setfacl
-R" command requires the user, group and other entries. That is why I'm setting
USER and OTHER again. For example, this following command {noformat}"hadoop fs
-setfacl -R --set 'user::r--' /path"{noformat} will fail with "setfacl: Invalid
ACL: the user, group and other entries are required."
3. I updated the testcase to include Default ACLs. Thank you for asking to
include this. After including default ACLs, I found that more code changes were
needed to address your question #1.
> hive incorrectly set extended ACLs for unnamed group for new databases/tables
> with inheritPerms enabled
> -------------------------------------------------------------------------------------------------------
>
> Key: HIVE-11481
> URL: https://issues.apache.org/jira/browse/HIVE-11481
> Project: Hive
> Issue Type: Bug
> Components: Metastore
> Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
> Reporter: Carita Ou
> Assignee: Carita Ou
> Priority: Minor
> Attachments: HIVE-11481.1.patch, HIVE-11481.2.patch,
> HIVE-11481.3.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:44
> /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the
> group permissions for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to
> user:mask:other. The subdirectory group ACL is set by calling
> FsPermission.getGroupAction() from Hadoop, which retrieves the file status
> permission rwx instead of the actual ACL permission, which is ---.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
