[jira] [Commented] (SENTRY-2134) Apply Hive URI grants recursively to subdirectories

Wed, 16 May 2018 10:08:28 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-2134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477743#comment-16477743
 ] 

Ruslan Dautkhanov commented on SENTRY-2134:
-------------------------------------------

[~akolb] 

{quote}what happens if there is table grant and URI grant? {quote}

I don't see a good use case when an external table would point to a directory 
under Hive warehouse-managed directory.
We have none of these tables.
I think answer to this question is simple - Hive warehouse managed locations 
take precedence and HDFS ACLs will be overridden by Sentry HDFS plugin, like 
its done currently. 

{quote}what happens if there is table grant and URI grant? Or there is URI 
grant on a directory and column-level privilege?{quote}

My understanding that column-level grants don't translate to HDFS level 
permissions/ ACLs, it's not correct?


[~belugabehr]

{quote}Sentry Sync can be keyed off URI alone and no longer on database/table 
location{quote}

Not sure I am following. Can you please elaborate?

Thank you.

> Apply Hive URI grants recursively to subdirectories
> ---------------------------------------------------
>
>                 Key: SENTRY-2134
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2134
>             Project: Sentry
>          Issue Type: Wish
>          Components: Hive Binding
>    Affects Versions: 1.8.0, 2.0.0, 1.7.1
>            Reporter: Ruslan Dautkhanov
>            Priority: Major
>              Labels: hive, uri
>
> Currently we need to add direct grants for all Hive tables' LOCATIONs. 
> Like, 'hdfs_staging/table1', 'hdfs_staging/table2', etc.. 
> It's not manageable this way. - we can't add grants for each and every table. 
> It would be great if we could just do one grant - 
> 'hdfs_staging/' so it would automatically be applied to  
> 'hdfs_staging/table1', 'hdfs_staging/table2', and other subdirectories.
> There is probably a reason this wasn't implemented earlier? Thanks for 
> considering this improvement.
> Also found another user's request on this - 
> https://community.cloudera.com/t5/Interactive-Short-cycle-SQL/Impala-Sentry-GRANT-ALL-ON-URI-not-cascaded-down-through/td-p/39928



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to