You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "HanCheol Cho (JIRA)" <ji...@apache.org> on 2015/08/27 11:43:46 UTC
[jira] [Created] (SENTRY-859) Revoking privileges on a DB removes
HDFS ACLs on its table files even if there is a role for one of its tables.
HanCheol Cho created SENTRY-859:
-----------------------------------
Summary: Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.
Key: SENTRY-859
URL: https://issues.apache.org/jira/browse/SENTRY-859
Project: Sentry
Issue Type: Bug
Components: Hdfs Plugin
Affects Versions: 1.4.0
Environment: CDH 5.4.3
Reporter: HanCheol Cho
Priority: Minor
This may not be a common use-case, but I think that grant/revoke in Hive and HDFS ACLs should be synchronized in this case too.
Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.
As a result, the group user1 still has the role tbl1, but the the table directory does not have the ACL entry for the group user1.
You can reproduce this problem as fllows:
// grant all privileges on the database test_db to a user
create role db1;
grant all on database test_db to role db1;
grant role db1 to group `user1`;
hdfs dfs -getfacl /user/hive/warehouse/test_db.db
# file: /user/hive/warehouse/test_db.db
# owner: hive
# group: hive
user::rwx
group::---
group:user1:rwx
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
// grant all privileges on a specific table of the db to the user
create role tbl1;
grant all on table test_db.customer to role tbl1;
grant role tbl1 to group `user1`;
hdfs dfs -getfacl /user/hive/warehouse/test_db.db
# file: /user/hive/warehouse/test_db.db
# owner: hive
# group: hive
user::rwx
group::---
group:user1:rwx
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
// revoke the db grant
revoke role db1 from group `user1`;
// table grant still exists
show role grant group `user1`;
+---------+---------------+-------------+----------+--+
| role | grant_option | grant_time | grantor |
+---------+---------------+-------------+----------+--+
| tbl1 | false | NULL | -- |
+---------+---------------+-------------+----------+--+
// but hdfs acl on the table, customer, does not exist anymore
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer
# file: /user/hive/warehouse/test_db.db/customer
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:hive:rwx
mask::rwx
other::---
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)