You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Eric Lin (JIRA)" <ji...@apache.org> on 2016/11/21 23:30:59 UTC
[jira] [Created] (SENTRY-1544) Sentry HDFS sync does not work for
sentry admin user
Eric Lin created SENTRY-1544:
--------------------------------
Summary: Sentry HDFS sync does not work for sentry admin user
Key: SENTRY-1544
URL: https://issues.apache.org/jira/browse/SENTRY-1544
Project: Sentry
Issue Type: Bug
Components: Hdfs Plugin, Sentry
Reporter: Eric Lin
How to re-produce the issue:
1. Assuming Sentry HDFS Sync enabled
2. Create sentry admin user, grant correct group and server level access for this user:
{code}
GRANT ALL ON SERVER serve1 TO ROLE ericlin;
{code}
3. Confirmed that the new user can access all databases and tables, including READ and WRITE
4. Do the following simple hdfs command:
{code}
[ericlin@host-10-17-101-195 ~]$ hadoop fs -mkdir /user/hive/warehouse/ericlin
mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
[ericlin@host-10-17-101-195 ~]$ hadoop fs -ls /user/hive/warehouse/
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
{code}
Same for other databases:
{code}
[ericlin@host-10-17-101-195 ~]$ hadoop fs -ls /user/hive/warehouse/test.db
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
{code}
getfacl shows the new user has no access to the warehouse directory:
{code}
hadoop fs -getfacl /user/hive/warehouse
# file: /user/hive/warehouse
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group::---
group:hive:rwx
group:yshi:rwx
mask::rwx
other::--x
{code}
The only way is to grant database or table permissions for the admin user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)