[
https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14741541#comment-14741541
]
Carita Ou commented on HIVE-11481:
----------------------------------
Problem:
When creating a child directory, the ACLs of the new directory were set based
on the file permissions of the parent directory instead of following the
ACL-inheritance rules. As a result, the ACLs for the group as well as the
default ACLs are not set correctly.
Proposed fix:
1. If the parent directory has default ACL entries set, then the child
directory will inherit from parent's ACL entries, including all named/unnamed
user, group and default entries.
2. If the parent directory does not have default ACL entries, but does have
some ACL entries set such as a named user, by default the group ACL entry for
the sub-directory is already set correctly in the current implementation. But
we need to add the ACL entries for USER and OTHER.
3. If the parent directory does not have any ACL entries, set the child
directory permissions using the parent's file permissions.
For reference, here is some background info on the mask:
1. From hadoop documentation: "The mask is a special ACL entry that filters the
permissions granted to all named user entries and named group entries, and also
the unnamed group entry. If the user doesn't supply a mask while setting an
ACL, then a mask is inserted automatically by calculating the union of
permissions on all entries that would be filtered by the mask."
2. From Linux acl manual, section CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE
PERMISSION BITS: "If the ACL has an ACL_MASK entry, the group permissions
correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has
no ACL_MASK entry, the group permissions correspond to the permissions of the
ACL_GROUP_OBJ entry."
> hive incorrectly set extended ACLs for unnamed group for new databases/tables
> with inheritPerms enabled
> -------------------------------------------------------------------------------------------------------
>
> Key: HIVE-11481
> URL: https://issues.apache.org/jira/browse/HIVE-11481
> Project: Hive
> Issue Type: Bug
> Components: Metastore
> Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
> Reporter: Carita Ou
> Assignee: Carita Ou
> Priority: Minor
> Attachments: HIVE-11481.1.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:44
> /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the
> group permissions for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to
> user:mask:other. The subdirectory group ACL is set by calling
> FsPermission.getGroupAction() from Hadoop, which retrieves the file status
> permission rwx instead of the actual ACL permission, which is ---.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
