[jira] [Commented] (SENTRY-1772) Permissions created before table creation are not reflected in HDFS ACLs

Thu, 18 May 2017 21:49:01 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-1772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16016894#comment-16016894
 ] 

Alexander Kolbasov commented on SENTRY-1772:
--------------------------------------------

A I side effect I discovered that the test is broken - it doesn't test anything 
useful. All hdfs paths were incorrect and were causing exceptions.

> Permissions created before table creation are not reflected in HDFS ACLs
> ------------------------------------------------------------------------
>
>                 Key: SENTRY-1772
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1772
>             Project: Sentry
>          Issue Type: Sub-task
>          Components: Sentry
>    Affects Versions: sentry-ha-redesign
>            Reporter: Alexander Kolbasov
>            Assignee: Alexander Kolbasov
>             Fix For: sentry-ha-redesign
>
>         Attachments: SENTRY-1772.001-sentry-ha-redesign.patch
>
>
> On the latest sentry codebase, trying to create a table which already has 
> user permissions defined in Sentry does no longer reflect HDFS ACL's on the 
> directories created as part of table creation.
> {code}
> sudo -u hive beeline -u 
> '"jdbc:hive2://host:10000/default;principal=hive/host@domain"'
> CREATE ROLE testdb_3583;
> GRANT ALL ON DATABASE testdb_3583 TO ROLE testdb_3583;
> GRANT ROLE testdb_3583 TO GROUP flume;
> GRANT ROLE cdep_global_admin to group systest;
> beeline -u '"jdbc:hive2://hostname:10000/default;principal=hive/host@domain"'
> CREATE DATABASE testdb_3583;
> CREATE TABLE testdb_3583.test_table1 (business_unit string, country string) 
> PARTITIONED BY (country_code string);
> sudo -u hdfs hadoop fs -getfacl -R 
> /user/hive/warehouse/testdb_3583.db/test_table1
> {code}
> Generally, we expect to see permission for flume user showing up on the 
> folder /user/hive/warehouse/testdb_3583.db/test_table1. And this works as 
> expected in earlier release but with the latest codebase, the permission 
> doesn't show up anymore.
> {code}
> + sudo -u hdfs hadoop fs -getfacl -R 
> /user/hive/warehouse/testdb_3583.db/test_table1
> # file: /user/hive/warehouse/testdb_3583.db/test_table1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::--x
> {code}
> ACLs in old release:
> {code}
> + sudo -u hdfs hadoop fs -getfacl -R 
> /user/hive/warehouse/testdb_3583.db/test_table1
> # file: /user/hive/warehouse/testdb_3583.db/test_table1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> group:flume:rwx
> mask::rwx
> other::--x
> {code}
> ACLs in Sentry HA:
> {code}
> + sudo -u hdfs hadoop fs -getfacl -R 
> /user/hive/warehouse/testdb_3583.db/test_table1
> # file: /user/hive/warehouse/testdb_3583.db/test_table1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::--x
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to