You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "HanCheol Cho (JIRA)" <ji...@apache.org> on 2015/08/27 11:43:46 UTC

[jira] [Created] (SENTRY-859) Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.

HanCheol Cho created SENTRY-859:
-----------------------------------

             Summary: Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.
                 Key: SENTRY-859
                 URL: https://issues.apache.org/jira/browse/SENTRY-859
             Project: Sentry
          Issue Type: Bug
          Components: Hdfs Plugin
    Affects Versions: 1.4.0
         Environment: CDH 5.4.3
            Reporter: HanCheol Cho
            Priority: Minor


This may not be a common use-case, but I think that grant/revoke in Hive and HDFS ACLs should be synchronized in this case too.

Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.

As a result, the group user1 still has the role tbl1, but the the table directory does not have the ACL entry for the group user1.



You can reproduce this problem as fllows:

// grant all privileges on the database test_db to a user	
 create role db1;	
 grant all on database test_db to role db1;	
 grant role db1 to group `user1`;	
	
 hdfs dfs -getfacl /user/hive/warehouse/test_db.db
	# file: /user/hive/warehouse/test_db.db
	# owner: hive
	# group: hive
	user::rwx
	group::---
	group:user1:rwx
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---
	
// grant all privileges on a specific table of the db to the user	
 create role tbl1;	
 grant all on table test_db.customer to role tbl1;	
 grant role tbl1 to group `user1`;	
	
hdfs dfs -getfacl /user/hive/warehouse/test_db.db	
	# file: /user/hive/warehouse/test_db.db
	# owner: hive
	# group: hive
	user::rwx
	group::---
	group:user1:rwx
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---
	
// revoke the db grant	
revoke role db1 from group `user1`;	
	
// table grant still exists	
show role grant group `user1`;	
	+---------+---------------+-------------+----------+--+
	|  role   | grant_option  | grant_time  | grantor  |
	+---------+---------------+-------------+----------+--+
	| tbl1    | false         | NULL        | --       |
	+---------+---------------+-------------+----------+--+
	
// but hdfs acl on the table, customer, does not exist anymore	
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer	
	# file: /user/hive/warehouse/test_db.db/customer
	# owner: hive
	# group: hive
	user::rwx
	group::---
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)