You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Sravya Tirukkovalur (JIRA)" <ji...@apache.org> on 2016/09/16 19:33:20 UTC

[jira] [Commented] (SENTRY-951) move hive warehouse dir to /hive, the dir doesn't have hive:hive as owner.

    [ https://issues.apache.org/jira/browse/SENTRY-951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15497170#comment-15497170 ] 

Sravya Tirukkovalur commented on SENTRY-951:
--------------------------------------------

Thought it might be useful to summarize the issue reported here, expected semantics and recommendation. 

HDFS Sentry sync semantics:
Sentry manages the paths which are Hive objects and are specified in the prefix.paths. When it is Sentry managed, the path would have 771 + hive:hive owned.

Hive semantics when default warehouse is updated:
When default warehouse is changed, say to "/data"
- default db location still remains at /user/hive/warehouse
- Tables created before the move still remain at /user/hive/warehouse/oldTable
- New tables created in default db after the change will live in the new location "/data/newtable"

Sentry HDFS Sync semantics of new warehouse dir given the above hive semantics:
As there is no hive object at /data it will not be sentry managed even after /data is added to prefix.paths 

So it is important to make sure the permissions of /data are such that "hive" super group has all access and it's children are reachable for other users who might have acls on children. So the recommendation is to do following on new warehouse dir.
hdfs dfs -chown hive:hive /data
hdfs dfs -chmod 771 /data

[~anneyu] [~hahao] Can you cross verify the content here? 

> move hive warehouse dir to /hive, the dir doesn't have hive:hive as owner.
> --------------------------------------------------------------------------
>
>                 Key: SENTRY-951
>                 URL: https://issues.apache.org/jira/browse/SENTRY-951
>             Project: Sentry
>          Issue Type: Bug
>            Reporter: Anne Yu
>            Assignee: Anne Yu
>             Fix For: 1.8.0
>
>         Attachments: SENTRY-951.0.test.patch
>
>
> {noformat}
> sudo -u hdfs hdfs dfs -mkdir -p /another
> sudo -u hdfs hdfs dfs -getfacl /another
> hfds:supergroup
> {noformat}
> put /another into hive.metastore.warehouse.dir;
> add /another into hdfs sentry syncup prefix;
> restart hive, sentry, hdfs
> {code}
> [root@anneyu-538-1 ~]# sudo -u hdfs hdfs dfs -getfacl /another
> # file: /another
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> other::r-x
> {code}
> If create table will get the below errors:
> {code}
> 0: jdbc:hive2://anneyu-538-4.vpc.cloudera.com> create table test7(s string);
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Got exception: org.apache.hadoop.security.AccessControlException Permission denied: user=hive, access=WRITE, inode="/another":hdfs:supergroup:drwxr-xr-x
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)