You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Lars Francke (JIRA)" <ji...@apache.org> on 2019/02/19 14:09:00 UTC
[jira] [Updated] (SENTRY-1392) Umask 077 leads to Hive crash with
Sentry
[ https://issues.apache.org/jira/browse/SENTRY-1392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Francke updated SENTRY-1392:
---------------------------------
Attachment: SENTRY-1392.001.patch
> Umask 077 leads to Hive crash with Sentry
> -----------------------------------------
>
> Key: SENTRY-1392
> URL: https://issues.apache.org/jira/browse/SENTRY-1392
> Project: Sentry
> Issue Type: Bug
> Components: Hive Binding
> Affects Versions: 1.5.1
> Environment: CDH 5.7.1, Sentry 1.5.1
> Reporter: Marek Sušický
> Priority: Major
> Labels: easyfix
> Attachments: SENTRY-1392.001.patch
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Hi,
> I installed CDH with Sentry and in Impala everything works fine. We have security demands that umask 077 should be used, so I changed default 022 to 077.
> But Hive says "No databases found.". In /var/log/hive is following stacktrace:
> 2016-07-08 16:05:58,085 WARN org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
> org.apache.hadoop.hive.ql.parse.SemanticException: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
> at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
> at org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
> at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
> at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
> ......
> ......
> Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
> at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
> at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
> at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
> at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
> ... 30 more
> I investigated this issue and in sourcecode I found following lines:
> if("077".equalsIgnoreCase(defaultUmask)) {
> LOG.error("HiveServer2 required a default umask of 077");
> throw new InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY +
> " should be 077 in non-testing mode");
> }
> I think, that one exclamation mark is missing:
> if (!"077".equalsIgnoreCase(defaultUmask)).....
> Thanks
> Marek
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)