hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Szehon Ho (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-6892) Permission inheritance issues
Date Sat, 15 Nov 2014 01:39:34 GMT

    [ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14213256#comment-14213256
] 

Szehon Ho commented on HIVE-6892:
---------------------------------

Thanks Lefty, I think its a lower level than Storage Based Authorization, because if the flag
is on then permissions will be inherited regardless of which authorization is configured.
 I updated [Storage Based Authorization|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
to add the link according to this understanding.

Question for you, I had a JQL I wanted to in [Permission Inheritance in Hive|https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive]
page to display the full list of patches:
project = HIVE and issue in linkedIssues(HIVE-6892)
but its giving me some wiki runtimeError when I try.  Do you know how to make that work? 
Thanks.



> Permission inheritance issues
> -----------------------------
>
>                 Key: HIVE-6892
>                 URL: https://issues.apache.org/jira/browse/HIVE-6892
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 0.13.0
>            Reporter: Szehon Ho
>            Assignee: Szehon Ho
>              Labels: TODOC14
>
> *HDFS Background*
> * When a file or directory is created, its owner is the user identity of the client process,
and its group is inherited from parent (the BSD rule).  Permissions are taken from default
umask.  Extended Acl's are taken from parent unless they are set explicitly.
> *Goals*
> To reduce need to set fine-grain file security props after every operation, users may
want the following Hive warehouse file/dir to auto-inherit security properties from their
directory parents:
> * Directories created by new database/table/partition/bucket
> * Files added to tables via load/insert
> * Table directories exported/imported  (open question of whether exported table inheriting
perm from new parent needs another flag)
> What may be inherited:
> * Basic file permission
> * Groups (already done by HDFS for new directories)
> * Extended ACL's (already done by HDFS for new directories)
> *Behavior*
> * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive will try to
do all above inheritances.  In the future, we can add more flags for more finer-grained control.
> * Failure by Hive to inherit will not cause operation to fail.  Rule of thumb of when
security-prop inheritance will happen is the following:
> ** To run chmod, a user must be the owner of the file, or else a super-user.
> ** To run chgrp, a user must be the owner of files, or else a super-user.
> ** Hence, user that hive runs as (either 'hive' or the logged-in user in case of impersonation),
must be super-user or owner of the file whose security properties are going to be changed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message