[
https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999671#comment-14999671
]
Carita Ou commented on HIVE-11481:
----------------------------------
Hi Szehon,
Thanks for reviewing the patch. Yes this patch sets the default ACLs if they
exist, and if not, it sets the traditional user/group/other permissions. The
difference between this patch and the old way is how we're setting the group
permissions.
When an ACL is set on a directory, the value returned from
sourcePerm.getGroupAction() is not the actual group permissions, it is the
mask. When we set a named user or named/unamed group ACL, the mask is
automatically defined as the union of those permissions. For example,
drwxrwx---+ is actually showing the user:mask:other.
When there are ACLs set on a directory, the child directory is already created
with the correct group ACL permissions in the current implementation. The issue
is that the group file permissions are not set correctly because they were
overwritten with the parent's mask (retrieved from
sourcePerm.getGroupAction()). This patch fixes the issue by not overwriting the
group with the parent's mask file permissions if there are ACLs for the
directory, keeping the group value that was set earlier with the chgrp command
in the method. We only need to set the group ACL entry if there are no ACL
entries set.
> hive incorrectly set extended ACLs for unnamed group for new databases/tables
> with inheritPerms enabled
> -------------------------------------------------------------------------------------------------------
>
> Key: HIVE-11481
> URL: https://issues.apache.org/jira/browse/HIVE-11481
> Project: Hive
> Issue Type: Bug
> Components: Metastore
> Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
> Reporter: Carita Ou
> Assignee: Carita Ou
> Priority: Minor
> Attachments: HIVE-11481.1.patch, HIVE-11481.2.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:44
> /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the
> group permissions for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to
> user:mask:other. The subdirectory group ACL is set by calling
> FsPermission.getGroupAction() from Hadoop, which retrieves the file status
> permission rwx instead of the actual ACL permission, which is ---.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
