Ruslan Dautkhanov commented on SENTRY-2134:

I think if you end up supporting URI grants too, it would have to act slightly 
 * ACLs for URI grant locations should be appended (merged with ) to ACLs 
that're already in hdfs 
 * unlike ACLs for databases that overwrite hdfs ACLs

This is because URI grants are normally given to tables in some locations that 
are accessed not by Hive for example, 
but there could be an external process that feeds data to that location and 
it's setup is done through HDFS acls.

Just my two cents.

But I agree it would be awesome to support URI grants through Sentry too - so 
we don't have to maintain this in Sentry 
and manually at HDFS level.

Thank you.

> Apply Hive URI grants recursively to subdirectories
> ---------------------------------------------------
>                 Key: SENTRY-2134
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2134
>             Project: Sentry
>          Issue Type: Improvement
>          Components: Hive Binding
>    Affects Versions: 1.8.0, 2.0.0, 1.7.1
>            Reporter: Ruslan Dautkhanov
>            Priority: Major
>              Labels: hive, uri
> Currently we need to add direct grants for all Hive tables' LOCATIONs. 
> Like, 'hdfs_staging/table1', 'hdfs_staging/table2', etc.. 
> It's not manageable this way. - we can't add grants for each and every table. 
> It would be great if we could just do one grant - 
> 'hdfs_staging/' so it would automatically be applied to  
> 'hdfs_staging/table1', 'hdfs_staging/table2', and other subdirectories.
> There is probably a reason this wasn't implemented earlier? Thanks for 
> considering this improvement.
> Also found another user's request on this - 
> https://community.cloudera.com/t5/Interactive-Short-cycle-SQL/Impala-Sentry-GRANT-ALL-ON-URI-not-cascaded-down-through/td-p/39928

This message was sent by Atlassian JIRA

Reply via email to