You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Lars Francke (JIRA)" <ji...@apache.org> on 2019/02/19 14:09:00 UTC

[jira] [Assigned] (SENTRY-1392) Umask 077 leads to Hive crash with Sentry

     [ https://issues.apache.org/jira/browse/SENTRY-1392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lars Francke reassigned SENTRY-1392:
------------------------------------

    Assignee: Lars Francke

> Umask 077 leads to Hive crash with Sentry
> -----------------------------------------
>
>                 Key: SENTRY-1392
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1392
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hive Binding
>    Affects Versions: 1.5.1
>         Environment: CDH 5.7.1, Sentry 1.5.1
>            Reporter: Marek Sušický
>            Assignee: Lars Francke
>            Priority: Major
>              Labels: easyfix
>         Attachments: SENTRY-1392.001.patch
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Hi,
> I installed CDH with Sentry and in Impala everything works fine. We have security demands that umask 077 should be used, so I changed default 022 to 077.
> But Hive says "No databases found.". In /var/log/hive is following stacktrace:
> 2016-07-08 16:05:58,085 WARN  org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
> org.apache.hadoop.hive.ql.parse.SemanticException: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
>         at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
>         at org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
>         at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
>         at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
>         at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
> ......
> ......
> Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
>         at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
>         at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
>         at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
>         at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
>         ... 30 more
> I investigated this issue and in sourcecode I found following lines:
> if("077".equalsIgnoreCase(defaultUmask)) {
>       LOG.error("HiveServer2 required a default umask of 077");
>       throw new InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY +
>           " should be 077 in non-testing mode");
>     }
> I think, that one exclamation mark is missing:
> if (!"077".equalsIgnoreCase(defaultUmask)).....
> Thanks
> Marek



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)