[
https://issues.apache.org/jira/browse/SENTRY-1772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015312#comment-16015312
]
Alexander Kolbasov commented on SENTRY-1772:
--------------------------------------------
The problem is with this function:
{code}
private boolean syncWithPolicyStore(HiveAuthzConf.AuthzConfVars syncConfVar) {
return "true"
.equalsIgnoreCase((authzConf.get(syncConfVar.getVar(), "true")));
}
{code}
The function in HmsFollower is copied from {{SentryMetastorePostEventListener}}.
Note that the default is always true, even when the default specified in
{{AuthzConfVars}} is false! So we are ignoring the default.
As a result, {{AUTHZ_SYNC_CREATE_WITH_POLICY_STORE}} is true rather then false
and this causes the problem.
I am not sure why it worked originally.
> Permissions created before table creation are not reflected in HDFS ACLs
> ------------------------------------------------------------------------
>
> Key: SENTRY-1772
> URL: https://issues.apache.org/jira/browse/SENTRY-1772
> Project: Sentry
> Issue Type: Sub-task
> Components: Sentry
> Affects Versions: sentry-ha-redesign
> Reporter: Alexander Kolbasov
> Assignee: Alexander Kolbasov
> Fix For: sentry-ha-redesign
>
>
> On the latest sentry codebase, trying to create a table which already has
> user permissions defined in Sentry does no longer reflect HDFS ACL's on the
> directories created as part of table creation.
> {code}
> sudo -u hive beeline -u
> '"jdbc:hive2://host:10000/default;principal=hive/host@domain"'
> CREATE ROLE testdb_3583;
> GRANT ALL ON DATABASE testdb_3583 TO ROLE testdb_3583;
> GRANT ROLE testdb_3583 TO GROUP flume;
> GRANT ROLE cdep_global_admin to group systest;
> beeline -u '"jdbc:hive2://hostname:10000/default;principal=hive/host@domain"'
> CREATE DATABASE testdb_3583;
> CREATE TABLE testdb_3583.test_table1 (business_unit string, country string)
> PARTITIONED BY (country_code string);
> sudo -u hdfs hadoop fs -getfacl -R
> /user/hive/warehouse/testdb_3583.db/test_table1
> {code}
> Generally, we expect to see permission for flume user showing up on the
> folder /user/hive/warehouse/testdb_3583.db/test_table1. And this works as
> expected in earlier release but with the latest codebase, the permission
> doesn't show up anymore.
> {code}
> + sudo -u hdfs hadoop fs -getfacl -R
> /user/hive/warehouse/testdb_3583.db/test_table1
> # file: /user/hive/warehouse/testdb_3583.db/test_table1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::--x
> {code}
> ACLs in old release:
> {code}
> + sudo -u hdfs hadoop fs -getfacl -R
> /user/hive/warehouse/testdb_3583.db/test_table1
> # file: /user/hive/warehouse/testdb_3583.db/test_table1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> group:flume:rwx
> mask::rwx
> other::--x
> {code}
> ACLs in Sentry HA:
> {code}
> + sudo -u hdfs hadoop fs -getfacl -R
> /user/hive/warehouse/testdb_3583.db/test_table1
> # file: /user/hive/warehouse/testdb_3583.db/test_table1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::--x
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
