[
https://issues.apache.org/jira/browse/SENTRY-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15032875#comment-15032875
]
Sravya Tirukkovalur commented on SENTRY-953:
--------------------------------------------
Attaching an updated patch which fixes most of the test failures. I will be
away for a few days for personal reasons, if any one wants feel free to pick it
up. Please note that we should add at the least the tests mentioned in the
above test plan before we can commit this. Thanks!
> External Partitions which are referenced by more than one table can cause
> some unexpected behavior with Sentry HDFS sync
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-953
> URL: https://issues.apache.org/jira/browse/SENTRY-953
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.6.0
> Reporter: Ryan P
> Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-953.0.patch, SENTRY-953.1.patch
>
>
> With Sentry HDFS ACL Sync enabled:
> Under a configured prefix create two external permission directories;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> Once a table is created that references these partitions they begin to act as
> managed directories as expected.
> drwxrwx---+ - hive hive 0 2015-11-04 11:07 /location/pk=1
> drwxrwx---+ - hive hive 0 2015-11-04 11:07 /location/pk=2
> The problem however arrives once we have two tables referencing these
> partitions with different grants placed against them.
> *both table1 and table2 include both partitions
> grant all on table home1 to role table1;
> grant role home1 to group root;
> grant all on table home2 to role table2;
> grant role home2 to group ryanp;
>
> You will notice that only the first grant takes effect on the managed
> directories:
> # file: /location/pk=1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> # file: /location/pk=2
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> Dropping the first table also results in the directories no longer being
> managed at all.
> drop table home1;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> The only way to pick up the 2 tables grants at this point would be to restart
> HMS.
> Since theoretically partitions can be member of numerous tables we should fix
> this behavior. Grants placed agains either authorizable object should be
> reflected in HDFS. As long as there are any references to the partition it
> should remain managed as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
