[jira] [Commented] (HIVE-14688) Hive drop call fails in presence of TDE

Thu, 02 Mar 2017 16:55:20 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-14688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15893476#comment-15893476
 ] 

Wei Zheng commented on HIVE-14688:
----------------------------------

Will commit once hive is depending on hadoop 2.8+. Current logic will safeguard 
improper DROP commands against tables in encryption zone

> Hive drop call fails in presence of TDE
> ---------------------------------------
>
>                 Key: HIVE-14688
>                 URL: https://issues.apache.org/jira/browse/HIVE-14688
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.1, 2.0.0
>            Reporter: Deepesh Khandelwal
>            Assignee: Wei Zheng
>         Attachments: HIVE-14688.1.patch, HIVE-14688.2.patch, 
> HIVE-14688.3.patch, HIVE-14688.4.patch
>
>
> This should be committed to when Hive moves to Hadoop 2.8
> In Hadoop 2.8.0 TDE trash collection was fixed through HDFS-8831. This 
> enables us to make drop table calls for Hive managed tables where Hive 
> metastore warehouse directory is in encrypted zone. However even with the 
> feature in HDFS, Hive drop table currently fail:
> {noformat}
> $ hdfs crypto -listZones
> /apps/hive/warehouse  key2 
> $ hdfs dfs -ls /apps/hive/warehouse
> Found 1 items
> drwxrwxrwt   - hdfs hdfs          0 2016-09-01 02:54 
> /apps/hive/warehouse/.Trash
> hive> create table abc(a string, b int);
> OK
> Time taken: 5.538 seconds
> hive> dfs -ls /apps/hive/warehouse;
> Found 2 items
> drwxrwxrwt   - hdfs   hdfs          0 2016-09-01 02:54 
> /apps/hive/warehouse/.Trash
> drwxrwxrwx   - deepesh hdfs          0 2016-09-01 17:15 
> /apps/hive/warehouse/abc
> hive> drop table if exists abc;
> FAILED: Execution Error, return code 1 from 
> org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Unable to drop 
> default.abc because it is in an encryption zone and trash is enabled.  Use 
> PURGE option to skip trash.)
> {noformat}
> The problem lies here:
> {code:title=metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java}
> private void checkTrashPurgeCombination(Path pathToData, String objectName, 
> boolean ifPurge)
> ...
>       if (trashEnabled) {
>         try {
>           HadoopShims.HdfsEncryptionShim shim =
>             
> ShimLoader.getHadoopShims().createHdfsEncryptionShim(FileSystem.get(hiveConf),
>  hiveConf);
>           if (shim.isPathEncrypted(pathToData)) {
>             throw new MetaException("Unable to drop " + objectName + " 
> because it is in an encryption zone" +
>               " and trash is enabled.  Use PURGE option to skip trash.");
>           }
>         } catch (IOException ex) {
>           MetaException e = new MetaException(ex.getMessage());
>           e.initCause(ex);
>           throw e;
>         }
>       }
> {code}
> As we can see that we are making an assumption that delete wouldn't be 
> successful in encrypted zone. We need to modify this logic.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to