You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Eric Lin (JIRA)" <ji...@apache.org> on 2016/11/21 23:31:58 UTC

[jira] [Updated] (SENTRY-1544) Sentry HDFS sync does not work for sentry admin user

     [ https://issues.apache.org/jira/browse/SENTRY-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eric Lin updated SENTRY-1544:
-----------------------------
    Description: 
How to re-produce the issue:

1. Assuming Sentry HDFS Sync enabled

2. Create sentry admin user, grant correct group and server level access for this user:

{code}
GRANT ALL ON SERVER serve1 TO ROLE ericlin;
{code}

3. Confirmed that the new user can access all databases and tables, including READ and WRITE

4. Do the following simple hdfs command:

{code}
hadoop fs -mkdir /user/hive/warehouse/ericlin
mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
hadoop fs -ls /user/hive/warehouse/
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
{code}

Same for other databases:

{code}
hadoop fs -ls /user/hive/warehouse/test.db
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
{code}

getfacl shows the new user has no access to the warehouse directory:

{code}
hadoop fs -getfacl /user/hive/warehouse
# file: /user/hive/warehouse
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group::---
group:hive:rwx
mask::rwx
other::--x
{code}

The only way is to grant database or table permissions for the admin user.



  was:
How to re-produce the issue:

1. Assuming Sentry HDFS Sync enabled

2. Create sentry admin user, grant correct group and server level access for this user:

{code}
GRANT ALL ON SERVER serve1 TO ROLE ericlin;
{code}

3. Confirmed that the new user can access all databases and tables, including READ and WRITE

4. Do the following simple hdfs command:

{code}
[ericlin@host-10-17-101-195 ~]$ hadoop fs -mkdir /user/hive/warehouse/ericlin
mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
[ericlin@host-10-17-101-195 ~]$ hadoop fs -ls /user/hive/warehouse/
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
{code}

Same for other databases:

{code}
[ericlin@host-10-17-101-195 ~]$ hadoop fs -ls /user/hive/warehouse/test.db
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
{code}

getfacl shows the new user has no access to the warehouse directory:

{code}
hadoop fs -getfacl /user/hive/warehouse
# file: /user/hive/warehouse
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group::---
group:hive:rwx
group:yshi:rwx
mask::rwx
other::--x
{code}

The only way is to grant database or table permissions for the admin user.




> Sentry HDFS sync does not work for sentry admin user
> ----------------------------------------------------
>
>                 Key: SENTRY-1544
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1544
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hdfs Plugin, Sentry
>            Reporter: Eric Lin
>
> How to re-produce the issue:
> 1. Assuming Sentry HDFS Sync enabled
> 2. Create sentry admin user, grant correct group and server level access for this user:
> {code}
> GRANT ALL ON SERVER serve1 TO ROLE ericlin;
> {code}
> 3. Confirmed that the new user can access all databases and tables, including READ and WRITE
> 4. Do the following simple hdfs command:
> {code}
> hadoop fs -mkdir /user/hive/warehouse/ericlin
> mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
> hadoop fs -ls /user/hive/warehouse/
> ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
> {code}
> Same for other databases:
> {code}
> hadoop fs -ls /user/hive/warehouse/test.db
> ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
> {code}
> getfacl shows the new user has no access to the warehouse directory:
> {code}
> hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::--x
> {code}
> The only way is to grant database or table permissions for the admin user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)