You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "Ryan P (JIRA)" <ji...@apache.org> on 2015/11/10 15:38:11 UTC

[jira] [Commented] (SENTRY-951) move hive warehouse dir to /hive, the dir doesn't have hive:hive as owner.

    [ https://issues.apache.org/jira/browse/SENTRY-951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14998669#comment-14998669 ] 

Ryan P commented on SENTRY-951:
-------------------------------

Correct me if I am wrong but I believe the default /user/hive/warehouse is only owned by hive:hive because that is part of the set up process. Hive doesn't actually set these permissions the administrator does. Same goes for the sticky bit. Not really sure this is a bug so much as a happenstance when decoupling the metadata from it's storage. 

Alternatively we could treat all configured prefix's as 'managed' which would return hive:hive when getUser() and getGroup() are called from the authorization provider. 



> move hive warehouse dir to /hive, the dir doesn't have hive:hive as owner.
> --------------------------------------------------------------------------
>
>                 Key: SENTRY-951
>                 URL: https://issues.apache.org/jira/browse/SENTRY-951
>             Project: Sentry
>          Issue Type: Bug
>            Reporter: Anne Yu
>
> {noformat}
> sudo -u hdfs hdfs dfs -mkdir -p /another
> sudo -u hdfs hdfs dfs -getfacl /another
> hfds:supergroup
> {noformat}
> put /another into hive.metastore.warehouse.dir;
> add /another into hdfs sentry syncup prefix;
> restart hive, sentry, hdfs
> {code}
> [root@anneyu-538-1 ~]# sudo -u hdfs hdfs dfs -getfacl /another
> # file: /another
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> other::r-x
> {code}
> If create table will get the below errors:
> {code}
> 0: jdbc:hive2://anneyu-538-4.vpc.cloudera.com> create table test7(s string);
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Got exception: org.apache.hadoop.security.AccessControlException Permission denied: user=hive, access=WRITE, inode="/another":hdfs:supergroup:drwxr-xr-x
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)