[
https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14213256#comment-14213256
]
Szehon Ho commented on HIVE-6892:
---------------------------------
Thanks Lefty, I think its a lower level than Storage Based Authorization,
because if the flag is on then permissions will be inherited regardless of
which authorization is configured. I updated [Storage Based
Authorization|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
to add the link according to this understanding.
Question for you, I had a JQL I wanted to in [Permission Inheritance in
Hive|https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive]
page to display the full list of patches:
project = HIVE and issue in linkedIssues(HIVE-6892)
but its giving me some wiki runtimeError when I try. Do you know how to make
that work? Thanks.
> Permission inheritance issues
> -----------------------------
>
> Key: HIVE-6892
> URL: https://issues.apache.org/jira/browse/HIVE-6892
> Project: Hive
> Issue Type: Bug
> Components: Security
> Affects Versions: 0.13.0
> Reporter: Szehon Ho
> Assignee: Szehon Ho
> Labels: TODOC14
>
> *HDFS Background*
> * When a file or directory is created, its owner is the user identity of the
> client process, and its group is inherited from parent (the BSD rule).
> Permissions are taken from default umask. Extended Acl's are taken from
> parent unless they are set explicitly.
> *Goals*
> To reduce need to set fine-grain file security props after every operation,
> users may want the following Hive warehouse file/dir to auto-inherit security
> properties from their directory parents:
> * Directories created by new database/table/partition/bucket
> * Files added to tables via load/insert
> * Table directories exported/imported (open question of whether exported
> table inheriting perm from new parent needs another flag)
> What may be inherited:
> * Basic file permission
> * Groups (already done by HDFS for new directories)
> * Extended ACL's (already done by HDFS for new directories)
> *Behavior*
> * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive
> will try to do all above inheritances. In the future, we can add more flags
> for more finer-grained control.
> * Failure by Hive to inherit will not cause operation to fail. Rule of thumb
> of when security-prop inheritance will happen is the following:
> ** To run chmod, a user must be the owner of the file, or else a super-user.
> ** To run chgrp, a user must be the owner of files, or else a super-user.
> ** Hence, user that hive runs as (either 'hive' or the logged-in user in case
> of impersonation), must be super-user or owner of the file whose security
> properties are going to be changed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
