You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "HanCheol Cho (JIRA)" <ji...@apache.org> on 2015/08/28 03:45:45 UTC

[jira] [Updated] (SENTRY-859) Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.

     [ https://issues.apache.org/jira/browse/SENTRY-859?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

HanCheol Cho updated SENTRY-859:
--------------------------------
    Description: 
This may not be a common use-case, but I think that grant/revoke in Hive and HDFS ACLs should be synchronized in this case too.

Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.

As a result, the group user1 still has the role tbl1, but the the table directory does not have the ACL entry for the group user1.



You can reproduce this problem as follows:

// grant all privileges on the database test_db to a user	
 create role db1;	
 grant all on database test_db to role db1;	
 grant role db1 to group `user1`;	
	
 hdfs dfs -getfacl /user/hive/warehouse/test_db.db
	# file: /user/hive/warehouse/test_db.db
	# owner: hive
	# group: hive
	user::rwx
	group::---
	group:user1:rwx
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---
	
// grant all privileges on a specific table of the db to the user	
 create role tbl1;	
 grant all on table test_db.customer to role tbl1;	
 grant role tbl1 to group `user1`;	
	
hdfs dfs -getfacl /user/hive/warehouse/test_db.db	
	# file: /user/hive/warehouse/test_db.db
	# owner: hive
	# group: hive
	user::rwx
	group::---
	group:user1:rwx
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---
	
// revoke the db grant	
revoke role db1 from group `user1`;	
	
// table grant still exists	
show role grant group `user1`;	
	+---------+---------------+-------------+----------+--+
	|  role   | grant_option  | grant_time  | grantor  |
	+---------+---------------+-------------+----------+--+
	| tbl1    | false         | NULL        | --       |
	+---------+---------------+-------------+----------+--+
	
// but hdfs acl on the table, customer, does not exist anymore	
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer	
	# file: /user/hive/warehouse/test_db.db/customer
	# owner: hive
	# group: hive
	user::rwx
	group::---
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---


  was:
This may not be a common use-case, but I think that grant/revoke in Hive and HDFS ACLs should be synchronized in this case too.

Assume that you have a DB named test_db with a table customer.
First, create a role db1 with all privileges on test_db and grant it to
the group named user1.
Second, create a role tbl1 with all privileges on the table test_db.customer
and grant it to user1.
Then, revoke db1 role from user1.

As a result, the group user1 still has the role tbl1, but the the table directory does not have the ACL entry for the group user1.



You can reproduce this problem as fllows:

// grant all privileges on the database test_db to a user	
 create role db1;	
 grant all on database test_db to role db1;	
 grant role db1 to group `user1`;	
	
 hdfs dfs -getfacl /user/hive/warehouse/test_db.db
	# file: /user/hive/warehouse/test_db.db
	# owner: hive
	# group: hive
	user::rwx
	group::---
	group:user1:rwx
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---
	
// grant all privileges on a specific table of the db to the user	
 create role tbl1;	
 grant all on table test_db.customer to role tbl1;	
 grant role tbl1 to group `user1`;	
	
hdfs dfs -getfacl /user/hive/warehouse/test_db.db	
	# file: /user/hive/warehouse/test_db.db
	# owner: hive
	# group: hive
	user::rwx
	group::---
	group:user1:rwx
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---
	
// revoke the db grant	
revoke role db1 from group `user1`;	
	
// table grant still exists	
show role grant group `user1`;	
	+---------+---------------+-------------+----------+--+
	|  role   | grant_option  | grant_time  | grantor  |
	+---------+---------------+-------------+----------+--+
	| tbl1    | false         | NULL        | --       |
	+---------+---------------+-------------+----------+--+
	
// but hdfs acl on the table, customer, does not exist anymore	
hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer	
	# file: /user/hive/warehouse/test_db.db/customer
	# owner: hive
	# group: hive
	user::rwx
	group::---
	user:hive:rwx
	group:hive:rwx
	mask::rwx
	other::---



> Revoking privileges on a DB removes HDFS ACLs on its table files even if there is a role for one of its tables.
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-859
>                 URL: https://issues.apache.org/jira/browse/SENTRY-859
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hdfs Plugin
>    Affects Versions: 1.4.0
>         Environment: CDH 5.4.3
>            Reporter: HanCheol Cho
>            Priority: Minor
>
> This may not be a common use-case, but I think that grant/revoke in Hive and HDFS ACLs should be synchronized in this case too.
> Assume that you have a DB named test_db with a table customer.
> First, create a role db1 with all privileges on test_db and grant it to
> the group named user1.
> Second, create a role tbl1 with all privileges on the table test_db.customer
> and grant it to user1.
> Then, revoke db1 role from user1.
> As a result, the group user1 still has the role tbl1, but the the table directory does not have the ACL entry for the group user1.
> You can reproduce this problem as follows:
> // grant all privileges on the database test_db to a user	
>  create role db1;	
>  grant all on database test_db to role db1;	
>  grant role db1 to group `user1`;	
> 	
>  hdfs dfs -getfacl /user/hive/warehouse/test_db.db
> 	# file: /user/hive/warehouse/test_db.db
> 	# owner: hive
> 	# group: hive
> 	user::rwx
> 	group::---
> 	group:user1:rwx
> 	user:hive:rwx
> 	group:hive:rwx
> 	mask::rwx
> 	other::---
> 	
> // grant all privileges on a specific table of the db to the user	
>  create role tbl1;	
>  grant all on table test_db.customer to role tbl1;	
>  grant role tbl1 to group `user1`;	
> 	
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db	
> 	# file: /user/hive/warehouse/test_db.db
> 	# owner: hive
> 	# group: hive
> 	user::rwx
> 	group::---
> 	group:user1:rwx
> 	user:hive:rwx
> 	group:hive:rwx
> 	mask::rwx
> 	other::---
> 	
> // revoke the db grant	
> revoke role db1 from group `user1`;	
> 	
> // table grant still exists	
> show role grant group `user1`;	
> 	+---------+---------------+-------------+----------+--+
> 	|  role   | grant_option  | grant_time  | grantor  |
> 	+---------+---------------+-------------+----------+--+
> 	| tbl1    | false         | NULL        | --       |
> 	+---------+---------------+-------------+----------+--+
> 	
> // but hdfs acl on the table, customer, does not exist anymore	
> hdfs dfs -getfacl /user/hive/warehouse/test_db.db/customer	
> 	# file: /user/hive/warehouse/test_db.db/customer
> 	# owner: hive
> 	# group: hive
> 	user::rwx
> 	group::---
> 	user:hive:rwx
> 	group:hive:rwx
> 	mask::rwx
> 	other::---



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)