You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Marek Sušický (JIRA)" <ji...@apache.org> on 2016/07/08 14:18:11 UTC

[jira] [Commented] (SENTRY-1392) Umask 077 leads to Hive crash with Sentry

    [ https://issues.apache.org/jira/browse/SENTRY-1392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367721#comment-15367721 ] 

Marek Sušický commented on SENTRY-1392:
---------------------------------------

Duplicity, but issue 7 has patch inside.

> Umask 077 leads to Hive crash with Sentry
> -----------------------------------------
>
>                 Key: SENTRY-1392
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1392
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hive Binding
>    Affects Versions: 1.5.1
>         Environment: CDH 5.7.1, Sentry 1.5.1
>            Reporter: Marek Sušický
>              Labels: easyfix
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Hi,
> I installed CDH with Sentry and in Impala everything works fine. We have security demands that umask 077 should be used, so I changed default 022 to 077.
> But Hive says "No databases found.". In /var/log/hive is following stacktrace:
> 2016-07-08 16:05:58,085 WARN  org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
> org.apache.hadoop.hive.ql.parse.SemanticException: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
>         at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
>         at org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
>         at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
>         at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
>         at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
> ......
> ......
> Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
>         at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
>         at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
>         at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
>         at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
>         ... 30 more
> I investigated this issue and in sourcecode I found following lines:
> if("077".equalsIgnoreCase(defaultUmask)) {
>       LOG.error("HiveServer2 required a default umask of 077");
>       throw new InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY +
>           " should be 077 in non-testing mode");
>     }
> I think, that one exclamation mark is missing:
> if (!"077".equalsIgnoreCase(defaultUmask)).....
> Thanks
> Marek



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)