[
https://issues.apache.org/jira/browse/SENTRY-1392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16771951#comment-16771951
]
Lars Francke commented on SENTRY-1392:
--------------------------------------
I've attached a patch that fixes this.
I'm not 100% certain what [~br...@phdata.io] intentions were but I'm not sure
why this check was ever added.
This was added in this commit:
https://github.com/apache/sentry/commit/daaf53e607d98419edf7434b5a881d4eca06dd97
Which refers to this ticket https://issues.cloudera.org/browse/ACCESS-189
The patch attached to that ticket does not even contain the check that I'm
removing here so it seems as if it was added by accident.
I don't know why Hive would not support umask of 077 (I can be wrong but I'm a
Hive committer and haven't heard of such a limitation). As long as Hive can
still access the data with its user it should be fine to have a umask of 077.
This patch removes this check entirely.
I bet this was added for either testing reasons or to work around some issue
that's long been fixed.
> Umask 077 leads to Hive crash with Sentry
> -----------------------------------------
>
> Key: SENTRY-1392
> URL: https://issues.apache.org/jira/browse/SENTRY-1392
> Project: Sentry
> Issue Type: Bug
> Components: Hive Binding
> Affects Versions: 1.5.1
> Environment: CDH 5.7.1, Sentry 1.5.1
> Reporter: Marek Sušický
> Assignee: Lars Francke
> Priority: Major
> Labels: easyfix
> Attachments: SENTRY-1392.001.patch
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Hi,
> I installed CDH with Sentry and in Impala everything works fine. We have
> security demands that umask 077 should be used, so I changed default 022 to
> 077.
> But Hive says "No databases found.". In /var/log/hive is following stacktrace:
> 2016-07-08 16:05:58,085 WARN
> org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook:
> [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
> org.apache.hadoop.hive.ql.parse.SemanticException:
> org.apache.sentry.binding.hive.conf.InvalidConfigurationException:
> fs.permissions.umask-mode should be 077 in non-testing mode
> at
> org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
> at
> org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
> at
> org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
> at
> org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
> at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
> ......
> ......
> Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException:
> fs.permissions.umask-mode should be 077 in non-testing mode
> at
> org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
> at
> org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
> at
> org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
> at
> org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
> ... 30 more
> I investigated this issue and in sourcecode I found following lines:
> if("077".equalsIgnoreCase(defaultUmask)) {
> LOG.error("HiveServer2 required a default umask of 077");
> throw new
> InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY
> +
> " should be 077 in non-testing mode");
> }
> I think, that one exclamation mark is missing:
> if (!"077".equalsIgnoreCase(defaultUmask)).....
> Thanks
> Marek
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
