hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carita Ou (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-11481) hive incorrectly set extended ACLs for unnamed group for new databases/tables with inheritPerms enabled
Date Wed, 11 Nov 2015 00:28:11 GMT

    [ https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999671#comment-14999671
] 

Carita Ou commented on HIVE-11481:
----------------------------------

Hi Szehon,

Thanks for reviewing the patch. Yes this patch sets the default ACLs if they exist, and if
not, it sets the traditional user/group/other permissions. The difference between this patch
and the old way is how we're setting the group permissions. 

When an ACL is set on a directory, the value returned from sourcePerm.getGroupAction() is
not the actual group permissions, it is the mask. When we set a named user or named/unamed
group ACL, the mask is automatically defined as the union of those permissions. For example,
drwxrwx---+ is actually showing the user:mask:other. 

When there are ACLs set on a directory, the child directory is already created with the correct
group ACL permissions in the current implementation. The issue is that the group file permissions
are not set correctly because they were overwritten with the parent's mask (retrieved from
sourcePerm.getGroupAction()). This patch fixes the issue by not overwriting the group with
the parent's mask file permissions if there are ACLs for the directory, keeping the group
value that was set earlier with the chgrp command in the method. We only need to set the group
ACL entry if there are no ACL entries set.

> hive incorrectly set extended ACLs for unnamed group for new databases/tables with inheritPerms
enabled
> -------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-11481
>                 URL: https://issues.apache.org/jira/browse/HIVE-11481
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>    Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
>            Reporter: Carita Ou
>            Assignee: Carita Ou
>            Priority: Minor
>         Attachments: HIVE-11481.1.patch, HIVE-11481.2.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+  - hive hadoop          0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+  - hive hadoop          0 2015-08-05 10:44 /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the group permissions
for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to user:mask:other.
The subdirectory group ACL is set by calling FsPermission.getGroupAction() from Hadoop, which
retrieves the file status permission rwx instead of the actual ACL permission, which is ---.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message