You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Eric Lin (JIRA)" <ji...@apache.org> on 2016/11/21 23:31:58 UTC
[jira] [Updated] (SENTRY-1544) Sentry HDFS sync does not work for
sentry admin user
[ https://issues.apache.org/jira/browse/SENTRY-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Lin updated SENTRY-1544:
-----------------------------
Description:
How to re-produce the issue:
1. Assuming Sentry HDFS Sync enabled
2. Create sentry admin user, grant correct group and server level access for this user:
{code}
GRANT ALL ON SERVER serve1 TO ROLE ericlin;
{code}
3. Confirmed that the new user can access all databases and tables, including READ and WRITE
4. Do the following simple hdfs command:
{code}
hadoop fs -mkdir /user/hive/warehouse/ericlin
mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
hadoop fs -ls /user/hive/warehouse/
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
{code}
Same for other databases:
{code}
hadoop fs -ls /user/hive/warehouse/test.db
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
{code}
getfacl shows the new user has no access to the warehouse directory:
{code}
hadoop fs -getfacl /user/hive/warehouse
# file: /user/hive/warehouse
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group::---
group:hive:rwx
mask::rwx
other::--x
{code}
The only way is to grant database or table permissions for the admin user.
was:
How to re-produce the issue:
1. Assuming Sentry HDFS Sync enabled
2. Create sentry admin user, grant correct group and server level access for this user:
{code}
GRANT ALL ON SERVER serve1 TO ROLE ericlin;
{code}
3. Confirmed that the new user can access all databases and tables, including READ and WRITE
4. Do the following simple hdfs command:
{code}
[ericlin@host-10-17-101-195 ~]$ hadoop fs -mkdir /user/hive/warehouse/ericlin
mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
[ericlin@host-10-17-101-195 ~]$ hadoop fs -ls /user/hive/warehouse/
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
{code}
Same for other databases:
{code}
[ericlin@host-10-17-101-195 ~]$ hadoop fs -ls /user/hive/warehouse/test.db
ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
{code}
getfacl shows the new user has no access to the warehouse directory:
{code}
hadoop fs -getfacl /user/hive/warehouse
# file: /user/hive/warehouse
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group::---
group:hive:rwx
group:yshi:rwx
mask::rwx
other::--x
{code}
The only way is to grant database or table permissions for the admin user.
> Sentry HDFS sync does not work for sentry admin user
> ----------------------------------------------------
>
> Key: SENTRY-1544
> URL: https://issues.apache.org/jira/browse/SENTRY-1544
> Project: Sentry
> Issue Type: Bug
> Components: Hdfs Plugin, Sentry
> Reporter: Eric Lin
>
> How to re-produce the issue:
> 1. Assuming Sentry HDFS Sync enabled
> 2. Create sentry admin user, grant correct group and server level access for this user:
> {code}
> GRANT ALL ON SERVER serve1 TO ROLE ericlin;
> {code}
> 3. Confirmed that the new user can access all databases and tables, including READ and WRITE
> 4. Do the following simple hdfs command:
> {code}
> hadoop fs -mkdir /user/hive/warehouse/ericlin
> mkdir: Permission denied: user=ericlin, access=WRITE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
> hadoop fs -ls /user/hive/warehouse/
> ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x
> {code}
> Same for other databases:
> {code}
> hadoop fs -ls /user/hive/warehouse/test.db
> ls: Permission denied: user=ericlin, access=READ_EXECUTE, inode="/user/hive/warehouse/test.db":hive:hive:drwxrwx--x
> {code}
> getfacl shows the new user has no access to the warehouse directory:
> {code}
> hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::--x
> {code}
> The only way is to grant database or table permissions for the admin user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)