[jira] [Commented] (SENTRY-953) External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync

Hao Hao (JIRA) Mon, 30 Nov 2015 17:53:36 -0800

    [ 
https://issues.apache.org/jira/browse/SENTRY-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15032885#comment-15032885
 ]


Hao Hao commented on SENTRY-953:
--------------------------------

Will take it from where you left. Thanks!

> External Partitions which are referenced by more than one table can cause 
> some unexpected behavior with Sentry HDFS sync
> ------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-953
>                 URL: https://issues.apache.org/jira/browse/SENTRY-953
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.6.0
>            Reporter: Ryan P
>            Assignee: Sravya Tirukkovalur
>         Attachments: SENTRY-953.0.patch, SENTRY-953.1.patch
>
>
> With Sentry HDFS ACL Sync enabled:
> Under a configured prefix create two external permission directories;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> Once a table is created that references these partitions they begin to act as 
> managed directories as expected. 
> drwxrwx---+  - hive  hive          0 2015-11-04 11:07 /location/pk=1
> drwxrwx---+  - hive  hive          0 2015-11-04 11:07 /location/pk=2
> The problem however arrives once we have two tables referencing these 
> partitions with different grants placed against them.
> *both table1 and table2 include both partitions
> grant all on table home1 to role table1;
> grant role home1 to group root;
> grant all on table home2 to role table2;
> grant role home2 to group ryanp;
>  
> You will notice that only the first grant takes effect on the managed 
> directories:
> # file: /location/pk=1
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> # file: /location/pk=2
> # owner: hive
> # group: hive
> user::rwx
> user:hive:rwx
> group:root:rwx
> group::---
> group:hive:rwx
> mask::rwx
> other::---
> Dropping the first table also results in the directories no longer being 
> managed at all. 
> drop table home1;
> # file: /location/pk=1
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> # file: /location/pk=2
> # owner: ryanp
> # group: ryanp
> user::rwx
> group::rwx
> other::rwx
> The only way to pick up the 2 tables grants at this point would be to restart 
> HMS. 
> Since theoretically partitions can be member of numerous tables we should fix 
> this behavior. Grants placed agains either authorizable object should be 
> reflected in HDFS. As long as there are any references to the partition it 
> should remain managed as well. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (SENTRY-953) External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync

Reply via email to