hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Szehon Ho (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-11481) hive incorrectly set extended ACLs for unnamed group for new databases/tables with inheritPerms enabled
Date Thu, 19 Nov 2015 23:02:11 GMT

    [ https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014672#comment-15014672
] 

Szehon Ho commented on HIVE-11481:
----------------------------------

Hi Carita, I spent some time reading up on default ACL's and taking a deeper look and have
some review questions.

1.  Shouldn't we also set default ACL's on the child, if they are a directory?  This code
maybe called in situation where input is a nested directory (like multi-column partition tables).
 "When a directory is created inside a directory that has a default ACL, the new directory
inherits the parent directory's default ACL both as its access ACL and default ACL."


2.  Do we still need to remove the base ACL's regardless of whether there are no defaults?
 If I recall correctly it was to prevent some duplicates (as you are again setting USER and
OTHER). 

3.  Can you write a test case that uses DEFAULT Acl's?  The test you added seems to use AclEntryScope.ACCESS
but not DEFAULT.

> hive incorrectly set extended ACLs for unnamed group for new databases/tables with inheritPerms
enabled
> -------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-11481
>                 URL: https://issues.apache.org/jira/browse/HIVE-11481
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>    Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
>            Reporter: Carita Ou
>            Assignee: Carita Ou
>            Priority: Minor
>         Attachments: HIVE-11481.1.patch, HIVE-11481.2.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+  - hive hadoop          0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+  - hive hadoop          0 2015-08-05 10:44 /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the group permissions
for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to user:mask:other.
The subdirectory group ACL is set by calling FsPermission.getGroupAction() from Hadoop, which
retrieves the file status permission rwx instead of the actual ACL permission, which is ---.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message