You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Marek Sušický (JIRA)" <ji...@apache.org> on 2016/07/08 14:18:11 UTC
[jira] [Commented] (SENTRY-1392) Umask 077 leads to Hive crash with
Sentry
[ https://issues.apache.org/jira/browse/SENTRY-1392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367721#comment-15367721 ]
Marek Sušický commented on SENTRY-1392:
---------------------------------------
Duplicity, but issue 7 has patch inside.
> Umask 077 leads to Hive crash with Sentry
> -----------------------------------------
>
> Key: SENTRY-1392
> URL: https://issues.apache.org/jira/browse/SENTRY-1392
> Project: Sentry
> Issue Type: Bug
> Components: Hive Binding
> Affects Versions: 1.5.1
> Environment: CDH 5.7.1, Sentry 1.5.1
> Reporter: Marek Sušický
> Labels: easyfix
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Hi,
> I installed CDH with Sentry and in Impala everything works fine. We have security demands that umask 077 should be used, so I changed default 022 to 077.
> But Hive says "No databases found.". In /var/log/hive is following stacktrace:
> 2016-07-08 16:05:58,085 WARN org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
> org.apache.hadoop.hive.ql.parse.SemanticException: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
> at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
> at org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
> at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
> at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
> ......
> ......
> Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
> at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
> at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
> at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
> at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
> ... 30 more
> I investigated this issue and in sourcecode I found following lines:
> if("077".equalsIgnoreCase(defaultUmask)) {
> LOG.error("HiveServer2 required a default umask of 077");
> throw new InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY +
> " should be 077 in non-testing mode");
> }
> I think, that one exclamation mark is missing:
> if (!"077".equalsIgnoreCase(defaultUmask)).....
> Thanks
> Marek
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)