[jira] [Updated] (SENTRY-859) Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.

Fri, 03 Jun 2016 11:28:16 -0700 

     [ 
https://issues.apache.org/jira/browse/SENTRY-859?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rahul Sharma updated SENTRY-859:
--------------------------------
    Attachment: SENTRY-859.patch

Attaching the JUnit Case to reproduce the issue

> Revoking privileges on a DB removes HDFS ACLs on its table files even if 
> there is a role for one of its tables.
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-859
>                 URL: https://issues.apache.org/jira/browse/SENTRY-859
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hdfs Plugin
>    Affects Versions: 1.4.0
>         Environment: CDH 5.4.3
>            Reporter: HanCheol Cho
>            Priority: Minor
>         Attachments: SENTRY-859.patch
>
>
> This may not be a common use-case, but I think that grant/revoke in Hive and 
> HDFS ACLs should be synchronized in this case too.
> Assume that you have a DB named test_db with a table customer.
> First, create a role db1 with all privileges on test_db and grant it to
> the group named user1.
> Second, create a role tbl1 with all privileges on the table test_db.customer
> and grant it to user1.
> Then, revoke db1 role from user1.
> As a result, the group user1 still has the role tbl1, but the the table 
> directory does not have the ACL entry for the group user1.
> You can reproduce this problem as follows:
> // grant all privileges on the database test_db to a user     
>  create role db1;     
>  grant all on database test_db to role db1;   
>  grant role db1 to group `user1`;     
>       
>  hdfs dfs -getfacl /user/hive/warehouse/test_db.db
>       # file: /user/hive/warehouse/test_db.db
>       # owner: hive
>       # group: hive
>       user::rwx
>       group::---
>       group:user1:rwx
>       user:hive:rwx
>       group:hive:rwx
>       mask::rwx
>       other::---
>       
> // grant all privileges on a specific table of the db to the user     
>  create role tbl1;    
>  grant all on table test_db.customer to role tbl1;    
>  grant role tbl1 to group `user1`;    
>       
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db     
>       # file: /user/hive/warehouse/test_db.db
>       # owner: hive
>       # group: hive
>       user::rwx
>       group::---
>       group:user1:rwx
>       user:hive:rwx
>       group:hive:rwx
>       mask::rwx
>       other::---
>       
> // revoke the db grant        
> revoke role db1 from group `user1`;   
>       
> // table grant still exists   
> show role grant group `user1`;        
>       +---------+---------------+-------------+----------+--+
>       |  role   | grant_option  | grant_time  | grantor  |
>       +---------+---------------+-------------+----------+--+
>       | tbl1    | false         | NULL        | --       |
>       +---------+---------------+-------------+----------+--+
>       
> // but hdfs acl on the table, customer, does not exist anymore        
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer    
>       # file: /user/hive/warehouse/test_db.db/customer
>       # owner: hive
>       # group: hive
>       user::rwx
>       group::---
>       user:hive:rwx
>       group:hive:rwx
>       mask::rwx
>       other::---



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to