[
https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207796#comment-14207796
]
Lefty Leverenz commented on HIVE-6892:
--------------------------------------
That sounds good, [~szehon], although additional links from other docs could
increase visibility for this issue. Perhaps we need more documentation about
*hive.warehouse.subdir.inherit.perms* somewhere besides Configuration
Properties.
How does this relate to storage-based authorization? When storage-based
authorization is not being used, is this still relevant to
create/load/insert/export/import commands?
Oh, cool, you've already added the new page. Reference links:
* [Configuration Properties -- hive.warehouse.subdir.inherit.perms |
https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.warehouse.subdir.inherit.perms]
* [Permission Inheritance in Hive |
https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive]
* [Storage Based Authorization |
https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
> Permission inheritance issues
> -----------------------------
>
> Key: HIVE-6892
> URL: https://issues.apache.org/jira/browse/HIVE-6892
> Project: Hive
> Issue Type: Bug
> Components: Security
> Affects Versions: 0.13.0
> Reporter: Szehon Ho
> Assignee: Szehon Ho
> Labels: TODOC14
>
> *HDFS Background*
> * When a file or directory is created, its owner is the user identity of the
> client process, and its group is inherited from parent (the BSD rule).
> Permissions are taken from default umask. Extended Acl's are taken from
> parent unless they are set explicitly.
> *Goals*
> To reduce need to set fine-grain file security props after every operation,
> users may want the following Hive warehouse file/dir to auto-inherit security
> properties from their directory parents:
> * Directories created by new database/table/partition/bucket
> * Files added to tables via load/insert
> * Table directories exported/imported (open question of whether exported
> table inheriting perm from new parent needs another flag)
> What may be inherited:
> * Basic file permission
> * Groups (already done by HDFS for new directories)
> * Extended ACL's (already done by HDFS for new directories)
> *Behavior*
> * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive
> will try to do all above inheritances. In the future, we can add more flags
> for more finer-grained control.
> * Failure by Hive to inherit will not cause operation to fail. Rule of thumb
> of when security-prop inheritance will happen is the following:
> ** To run chmod, a user must be the owner of the file, or else a super-user.
> ** To run chgrp, a user must be the owner of files, or else a super-user.
> ** Hence, user that hive runs as (either 'hive' or the logged-in user in case
> of impersonation), must be super-user or owner of the file whose security
> properties are going to be changed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
