You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Tim Armstrong (Jira)" <ji...@apache.org> on 2021/01/25 20:20:00 UTC

[jira] [Commented] (IMPALA-3657) Permission upon insert are wrong in hive warehouse table files

    [ https://issues.apache.org/jira/browse/IMPALA-3657?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17271655#comment-17271655 ] 

Tim Armstrong commented on IMPALA-3657:
---------------------------------------

This is controlled by the fs.permissions.umask-mode setting in hdfs-site.xml, which defaults to 022. It could make sense to change it to 002 if you're in a setup like this where Impala is in the hive group. This is probably not something that needs to be fixed in Apache Impala, but rather in management software that sets up users/groups etc.

> Permission upon insert are wrong in hive warehouse table files
> --------------------------------------------------------------
>
>                 Key: IMPALA-3657
>                 URL: https://issues.apache.org/jira/browse/IMPALA-3657
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 2.2.3
>         Environment: Cluster is Kerberized and has sentry
>            Reporter: Bala Chander
>            Assignee: Tim Armstrong
>            Priority: Minor
>              Labels: security
>
> Found an issue with permissions on warehouse.
> The Warehouse /user/hive/warehouse was set to owner hive:hive with 771 permissions recursively. User was granted write privilege on table (tbl-1) on database (db-1).
> Initially all grants were done with beeline.
> Next the user switched to impala-shell and inserted some data into tbl-1. The permissions on the new hdfs file was the following:
> ownership :  impala:hive
> permissions:  751 i.e. read and execute on group.
> The user cannot use insert overwrite via beeline sine the group hive has read only permissions.
> The documentation: http://www.cloudera.com/documentation/enterprise/latest/topics/impala_insert.html has the following:
> Related startup options:
> By default, if an INSERT statement creates any new subdirectories underneath a partitioned table, those subdirectories are assigned default HDFS permissions for the impala user. To make each subdirectory have the same permissions as its parent directory in HDFS, specify the --insert_inherit_permissions startup option for the impalad daemon.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org