sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sravya Tirukkovalur (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SENTRY-953) External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync
Date Thu, 26 Nov 2015 00:32:11 GMT

     [ https://issues.apache.org/jira/browse/SENTRY-953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sravya Tirukkovalur updated SENTRY-953:
---------------------------------------
    Attachment: SENTRY-953.0.patch

Attaching an initial patch. Thinking of all different scenarios we want to handle. Here is
my test plan, let me know if you folks can think of other cases:

1.1. Two partitions of different tables pointing to same location with different grants =>
ACLS should have union of both rules.
1.2. Drop first table => should still have second table permissions
1.3. Drop second table => should still have first table permissions
1.4. Do 1.2 but drop partition instead
1.5. Do 1.3 but drop partition instead

2.1. Two partitions of same table pointing to same location => ACLS should not be repeated.
2.2. Drop first partition => Should still have acls
2.3. Same as 2.2, but drop second partition

3.1. Two tables pointing to same location => union of rules.
3.2. Drop first table
3.3. Drop second table

One thing I cannot test on pseudo cluster is initialization is happening correctly when there
are multiple objects pointing to the same path as there is no way to persist meta store and
restart HMS. I will try to mock is some how.

> External Partitions which are referenced by more than one table can cause some unexpected
behavior with Sentry HDFS sync
> ------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-953
>                 URL: https://issues.apache.org/jira/browse/SENTRY-953
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.6.0
>            Reporter: Ryan P
>            Assignee: Sravya Tirukkovalur
>         Attachments: SENTRY-953.0.patch
>
>
> With Sentry HDFS ACL Sync enabled:
> Under a configured prefix create two external permission directories;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> Once a table is created that references these partitions they begin to act as managed
directories as expected. 
> drwxrwx---+  - hive  hive          0 2015-11-04 11:07 /location/pk=1
> drwxrwx---+  - hive  hive          0 2015-11-04 11:07 /location/pk=2
> The problem however arrives once we have two tables referencing these partitions with
different grants placed against them.
> *both table1 and table2 include both partitions
> grant all on table home1 to role table1;
> grant role home1 to group root;
> grant all on table home2 to role table2;
> grant role home2 to group ryanp;
>  
> You will notice that only the first grant takes effect on the managed directories:
> # file: /location/pk=1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> # file: /location/pk=2
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> Dropping the first table also results in the directories no longer being managed at all.

> drop table home1;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> The only way to pick up the 2 tables grants at this point would be to restart HMS. 
> Since theoretically partitions can be member of numerous tables we should fix this behavior.
Grants placed agains either authorizable object should be reflected in HDFS. As long as there
are any references to the partition it should remain managed as well. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message