[
https://issues.apache.org/jira/browse/SENTRY-2134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16363281#comment-16363281
]
Ruslan Dautkhanov commented on SENTRY-2134:
-------------------------------------------
I think if you end up supporting URI grants too, it would have to act slightly
differently:
* ACLs for URI grant locations should be appended (merged with ) to ACLs
that're already in hdfs
* unlike ACLs for databases that overwrite hdfs ACLs
This is because URI grants are normally given to tables in some locations that
are accessed not by Hive for example,
but there could be an external process that feeds data to that location and
it's setup is done through HDFS acls.
Just my two cents.
But I agree it would be awesome to support URI grants through Sentry too - so
we don't have to maintain this in Sentry
and manually at HDFS level.
Thank you.
> Apply Hive URI grants recursively to subdirectories
> ---------------------------------------------------
>
> Key: SENTRY-2134
> URL: https://issues.apache.org/jira/browse/SENTRY-2134
> Project: Sentry
> Issue Type: Improvement
> Components: Hive Binding
> Affects Versions: 1.8.0, 2.0.0, 1.7.1
> Reporter: Ruslan Dautkhanov
> Priority: Major
> Labels: hive, uri
>
> Currently we need to add direct grants for all Hive tables' LOCATIONs.
> Like, 'hdfs_staging/table1', 'hdfs_staging/table2', etc..
> It's not manageable this way. - we can't add grants for each and every table.
> It would be great if we could just do one grant -
> 'hdfs_staging/' so it would automatically be applied to
> 'hdfs_staging/table1', 'hdfs_staging/table2', and other subdirectories.
> There is probably a reason this wasn't implemented earlier? Thanks for
> considering this improvement.
> Also found another user's request on this -
> https://community.cloudera.com/t5/Interactive-Short-cycle-SQL/Impala-Sentry-GRANT-ALL-ON-URI-not-cascaded-down-through/td-p/39928
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
