You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Carita Ou (JIRA)" <ji...@apache.org> on 2015/09/11 23:12:45 UTC
[jira] [Commented] (HIVE-11481) hive incorrectly set extended ACLs
for unnamed group for new databases/tables with inheritPerms enabled
[ https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14741541#comment-14741541 ]
Carita Ou commented on HIVE-11481:
----------------------------------
Problem:
When creating a child directory, the ACLs of the new directory were set based on the file permissions of the parent directory instead of following the ACL-inheritance rules. As a result, the ACLs for the group as well as the default ACLs are not set correctly.
Proposed fix:
1. If the parent directory has default ACL entries set, then the child directory will inherit from parent's ACL entries, including all named/unnamed user, group and default entries.
2. If the parent directory does not have default ACL entries, but does have some ACL entries set such as a named user, by default the group ACL entry for the sub-directory is already set correctly in the current implementation. But we need to add the ACL entries for USER and OTHER.
3. If the parent directory does not have any ACL entries, set the child directory permissions using the parent's file permissions.
For reference, here is some background info on the mask:
1. From hadoop documentation: "The mask is a special ACL entry that filters the permissions granted to all named user entries and named group entries, and also the unnamed group entry. If the user doesn't supply a mask while setting an ACL, then a mask is inserted automatically by calculating the union of permissions on all entries that would be filtered by the mask."
2. From Linux acl manual, section CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS: "If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry."
> hive incorrectly set extended ACLs for unnamed group for new databases/tables with inheritPerms enabled
> -------------------------------------------------------------------------------------------------------
>
> Key: HIVE-11481
> URL: https://issues.apache.org/jira/browse/HIVE-11481
> Project: Hive
> Issue Type: Bug
> Components: Metastore
> Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
> Reporter: Carita Ou
> Assignee: Carita Ou
> Priority: Minor
> Attachments: HIVE-11481.1.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:44 /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the group permissions for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to user:mask:other. The subdirectory group ACL is set by calling FsPermission.getGroupAction() from Hadoop, which retrieves the file status permission rwx instead of the actual ACL permission, which is ---.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)